Educause Security Discussion mailing list archives
Recent Solaris 9 compromises
From: Mike Iglesias <iglesias () DRACO ACS UCI EDU>
Date: Tue, 9 Mar 2004 14:11:34 -0800
We had some Solaris 9 systems compromised in the last week from hosts in the 213.164.233 network (Romainia). They appeared to exploit the systems via telnet, but it looks like the Solaris telnetd and /bin/login bugs announced in Dec 2001 were fixed in Solaris 9 before it was released.
From our argus data, it looks like they
Probed tcp port 32773, which is opened by inetd. 3 packets exchanged. Perhaps a recon to see if it's Solaris? Connected to the target system via telnet. Approx 1mb file ftp'd over from a system at 66.218.65.72. Rootkit? Connection to a backdoor sshd on port 54321 on the target system. Connection to an IRC server on port 6667 on the target system. Has anyone else seen anything like this? Unfortunately there are no packet dumps or IDS logs of the attack so we can't tell how they got in using telnet or /bin/login. Mike Iglesias Email: iglesias () draco acs uci edu University of California, Irvine phone: 949-824-6926 Network & Academic Computing Services FAX: 949-824-2069 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Recent Solaris 9 compromises Mike Iglesias (Mar 09)
- <Possible follow-ups>
- Re: Recent Solaris 9 compromises Scott Weeks (Mar 09)