Hacked or not ?

azze azze at bl0wf1sh.ath.cx
Fri May 21 13:10:36 PDT 2004 

maybe you sould

- grep the 4.9-STABLE sources of chfn,chsh,date,ls,ps
  build it and diff/md5 the builded stuff
- ktrace(dump) the (current)ls, etc. with the (fresh) cvs version (rev for 4.9-S)
- just reinstall the system :)

R> Hi, 

R> I have a 4.9-STABLE FreeBSD box apparently hacked!
R> Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. 
R> Those are:
R> chfn     ... INFECTED
R> chsh    ... INFECTED
R> date     ... INFECTED
R> ls         ... INFECTED
R> ps        ... INFECTED

R> But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED.
R> I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x
R> But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do....
R> I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me:

R> ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
R> ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
R> getuid()                                                        = 0 (0x0)
R> readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No such file or directory'         #SUSPICIOUS
R> mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
R> break(0x809b000)                                        = 0 (0x0)
R> break(0x809c000)                                        = 0 (0x0)
R> break(0x809d000)                                        = 0 (0x0)
R> break(0x809e000)                                        = 0 (0x0)
R> ...........................................................................................and so on!

R> And if I am an intrusion victim.... what can I do ? How can I restore
R> those files? and how can I find out how this cracker did to break my
R> firewall? I mean where is the security hole?
R> PS: After verification on other commands declared not infected I found
R> out this ERR#2 is common.... maybe I have another problem here!

R> Thanks everyone!
R> razor.
R> _______________________________________________
R> freebsd-security at freebsd.org mailing list
R> http://lists.freebsd.org/mailman/listinfo/freebsd-security
R> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list