[scg-sec] FreeBSD exploit?

Paul Goyette pgoyette at juniper.net
Fri Mar 4 12:31:03 EST 2005


OK, so one of our customers found some weird stuff on a M-series
router while investigating the reasons for the box continually
crashing.  In addition to the stuff in the following directory,
it looks like the box was running an IRC server and a mail proxy.

Does any of this look familiar to anyone?  I'm guessing we got
compromised by poor passwords, but still not sure until I can
poke aound the box myself.

/var/tmp/nesshbf/:
total 3620
-rw-r--r--  1 root  wheel          0 Feb 21 18:27 217.61.pscan.22
-rw-r--r--  1 root  wheel         38 Feb 21 06:30 log.bigsshf
-rw-r--r--  1 root  wheel          0 Feb 20 15:06 overnight.txt
-rwx------  1 root  wheel      21407 Feb 15 00:31 pscan2*
-rwx------  1 root  wheel     453972 Feb 15 00:31 ss*
-rwxr-xr-x  1 root  wheel    1347413 Feb 15 00:31 sshf*
-rwxr-xr-x  1 root  wheel        758 Feb 20 15:42 sshmass2*
-rw-r--r--  1 root  wheel         14 Feb 21 06:30 uniq.txt



More information about the scg-sec mailing list