Recent Solaris 9 compromises

[Mike Iglesias <iglesias () DRACO ACS UCI EDU>]

We had some Solaris 9 systems compromised in the last week from
hosts in the 213.164.233 network (Romainia).  They appeared to
exploit the systems via telnet, but it looks like the Solaris
telnetd and /bin/login bugs announced in Dec 2001 were fixed
in Solaris 9 before it was released.

> From our argus data, it looks like they

  Probed tcp port 32773, which is opened by inetd.  3 packets exchanged.
  Perhaps a recon to see if it's Solaris?

  Connected to the target system via telnet.

  Approx 1mb file ftp'd over from a system at 66.218.65.72.  Rootkit?

  Connection to a backdoor sshd on port 54321 on the target system.

  Connection to an IRC server on port 6667 on the target system.

Has anyone else seen anything like this?  Unfortunately there are no
packet dumps or IDS logs of the attack so we can't tell how they got
in using telnet or /bin/login.


Mike Iglesias                          Email:       iglesias () draco acs uci edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.