Hacked or not ?

M. Boelen michael at computerpech.nl
Sat May 22 02:13:50 PDT 2004 

Hi,

Someone else did already told you about Rootkit Hunter, but forget to 
say you can install it from the FreeBSD Ports collection 
(/usr/ports/security/rkhunter) ;-)

(it's has been added this month, so a lot of FreeBSD users don't know it 
yet)

Michael Boelen
Author of Rootkit Hunter

>Hi, 
>
>I have a 4.9-STABLE FreeBSD box apparently hacked!
>Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. 
>Those are:
>chfn     ... INFECTED
>chsh    ... INFECTED
>date     ... INFECTED
>ls         ... INFECTED
>ps        ... INFECTED
>
>But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED.
>I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x
>But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do....
>I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me:
>
>ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
>ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
>getuid()                                                        = 0 (0x0)
>readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No such file or directory'         #SUSPICIOUS
>mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
>break(0x809b000)                                        = 0 (0x0)
>break(0x809c000)                                        = 0 (0x0)
>break(0x809d000)                                        = 0 (0x0)
>break(0x809e000)                                        = 0 (0x0)
>...........................................................................................and so on!
>
>And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole?
>PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here!
>
>Thanks everyone!
>razor.
>_______________________________________________
>freebsd-security at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
>  
>


-- 

This is my mailbox. There are many like it but this one is mine.
My mailbox is my best friend. It is my life. I must master it as I
master my life.

My mailbox, without me is useless. Without my mailbox, I am useless.
I must empty my mailbox true. I must clean him before he gets full.
I will....

More information about the freebsd-security mailing list