Has anyone tried looking at:
http://www.sophos.com/virusinfo/analyses/linuxadore.html?

----- Original Message -----
From: "Stefan Probst" <stefan.probstopticom.v-nam.net>
To: <freebsd-securityFreeBSD.ORG>
Cc: "Rob Hurle" <robcoombs.anu.edu.au>
Sent: Tuesday, November 13, 2001 10:13 AM
Subject: Adore worm

> Good Evening,
>
> sorry for newbie-posting, but I don't have too much time
to sift through
> archives....
>
> Looks like my FreeBSD 4.2 Box (FreeBSD 4.2-RELEASE
(GENERIC)) got hit by a
> worm - or infested by purpose:
>
> I found a new directory /usr/lib/.fx/
> which contains all kind of stuff.
> One README file says:
> >%cat README
> > AdoreBSD 0.34 - Based off Linux Adore
by Stealth
> > Copyright (c) 2001
bindgravitino.net
> >
> >Developed on FreeBSD 4.3-STABLE
> >
> >Installation:
> > # make; make load
> >
> >Features:
> > * hide file or directory from view
> > * make processes invisible
> > * hide promiscuous flag and syslog messages
> > * execute as root
> > * hide sysctl mib entries
> > * netstat service hiding
> > * authentication
> > * module hiding
>
> I can't use "ps" anymore ("cannot fork" or "segmentation
fault - core dumped").
> "rc.conf" was modified and three lines with "/bin/xterm"
added. I deleted
> this "xterm" program, since it was also created/modified
by the worm.
> "rc" itself shows the date of the infection, but I don't
know, what was done.
>
> Anything known? Any ideas what to do? Looking forward to
pointers....
> Rgds,
> Stefan
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the
message
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]