Security Incidents mailing list archives
Re: sadmind hack?
From: mcr () DYSON SPHERE COM (Chad Roberts)
Date: Fri, 14 Apr 2000 08:49:56 -0400
On Thu, Apr 13, 2000 at 02:13:09PM +0800, Yip Chan Keong wrote:
I have gotten the following messages in my /var/adm/messages file on my solaris 2.6 host. is it a sign of break in? telnet and ftp on my host are limited by tcp wrappers. any idea how is the exploit made? Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault - core dumped Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault - core dumped Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup many thanks and regards, /yck
I just recently investigated a box for a client that got hacked into, and sadmind is how they got in, at least as best I can tell. Entries exactly like those were in the messages file. Chances are that unless you patched against this (patch released Dec. '99, I think) you've been hacked. I'd be interested in discussing details of what sorts of trojans, backdoors, etc. you've discovered, if any. -- Chad Roberts Senior System Engineer chad () sphere com Sphere Solutions, Inc. http://www.sphere.com
Current thread:
- sadmind hack? Yip Chan Keong (Apr 12)
- Re: sadmind hack? Ex Machina (Apr 13)
- Re: sadmind hack? Robert Graham (Apr 13)
- Re: sadmind hack? Fyodor (Apr 16)
- Weird Ping requests Erick Brockway (Apr 16)
- Re: Weird Ping requests Richard Bejtlich (Apr 18)
- Re: Weird Ping requests Erick Brockway (Apr 21)
- Re: sadmind hack? Labu Labi (Apr 17)
- Re: sadmind hack? Prateek Jetly (Apr 18)
- Re: sadmind hack? Chad Roberts (Apr 14)
- Strange UDP traffic Ed Padin (Apr 14)
- Port 6502 Tony Lambiris (Apr 16)
- <Possible follow-ups>
- Re: sadmind hack? Oliver Friedrichs (Apr 13)
- Re: sadmind hack? Spoonm Spoonm (Apr 18)