Hacked?
Adam Dewis
apdewis at postoffice.utas.edu.au
Sat May 10 04:16:28 PDT 2003
On Fri, 09 May 2003 10:45:20 -0500 Peter Elsner wrote:
> here's what's in /dev/fd/.99
>
> # cd /dev/fd/.99
> # ll
> -rw-r--r-- 1 root wheel 70 May 2 18:05 .ttyf00
>
> The contents of that file are:
>
> # more .ttyf00
> .99
> .ttyf00
> .ttyp00
> in.inetd
> sshd
> /sbin/sshd
> /usr/sbin/in.inetd
> .fx
>
> I have already restored my ls and now my dates are back to normal... I
> have also restored netstat.
>
> I am now going to do a complete re-install of all binaries...
>
> Before I do, let me know if there's anything else you need...
>
> Peter
>
Doing a complete reeinstall is all good and well, but Installing a
rootkit means that the cracker used a hole to gain the required
permissions to do so. Whcih in praticality means that you will need to
patch the hole as well, unfortunatly I cannot offer any advice on
finding the hole, but mayhaps some other security guru on this list may
be able to steer you in the right direction?
Adam
More information about the freebsd-security
mailing list