Hacked?

Timothy R. Geier tgeier at acsmail.com
Fri May 9 08:50:36 PDT 2003 

On Friday 09 May 2003 10:21, Borja Marcos wrote:
> On Friday, May 9, 2003, at 16:07 Europe/Madrid, Peter Elsner wrote:
> > open("/dev/fd/.99/.ttyf00",0x0,0666)             = 3 (0x3)
>
> 	Look at this. This is a rootkit. What is this file? :-) Probably the
> typical rootkit config file.
>
> 	The "strings" command was good at this, but I have seen lately some
> rootkits replacing the strings command. Truss seems to be safer, at
> least for now.
>
> > I'm not exactly sure what I'm looking at... Do you see anything out of
> > the ordinary?
>
> 	Yes, something like that :-)
>
> 	If you "truss" commands like netstat, ps, etc, I am sure you will find
> similar operations. Look for open system calls with weird filenames or
> files in weird places, like above.
>
>
>
>
> 	Borja.
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

To add a few more thoughts to this, the most likely places for rootkit 
configurations and possibly executables are hidden directories under /tmp, 
/dev/, and /var/tmp.  Of course, these are not the only possible places, but 
they are the most popular.  

Also, the use of nmap or another port scanner from a remote machine can 
discover if the rootkit has left any backdoor ports open.  Since you've 
restored netstat, though, "netstat -l" should work just as well.  After 
determining if there are any backdoors, I would recommend removing the 
compromised machine from any network(s) it is on and then performing a 
detailed analysis, restoration, and hardening.  An article on this process 
can be found at http://www.securityfocus.com/infocus/1692.

-- 
Timothy R. Geier, Systems Administrator
Advanced Communications Systems
tgeier at acsmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030509/05d54345/attachment.bin

More information about the freebsd-security mailing list