Hacked?
Chris BeHanna
behanna at zbzoom.net
Fri May 9 10:22:31 PDT 2003
On Friday 09 May 2003 11:45, Peter Elsner wrote:
> here's what's in /dev/fd/.99
>
> # cd /dev/fd/.99
> # ll
> -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00
>
> The contents of that file are:
>
> # more .ttyf00
> .99
> .ttyf00
> .ttyp00
> in.inetd
> sshd
> /sbin/sshd
> /usr/sbin/in.inetd
> .fx
>
> I have already restored my ls and now my dates are back to normal... I
> have also restored netstat.
>
> I am now going to do a complete re-install of all binaries...
*AFTER* you boot from CD-ROM and newfs every partition on the
disk, right? That is the *only* way you can be sure you've removed
all of the noisome pieces of the rootkit.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna at bogus.zbzoom.net
Turning coffee into software since 1990.
More information about the freebsd-security
mailing list