Security Incidents mailing list archives

Re: DoS Trojan on Solaris

From: Gn0 () DATASURGE COM (Data_surge)
Date: Sat, 5 Feb 2000 06:35:59 +1100

It was discovered that the following programs had trojan replacements:
/usr/lib/nfs/lockd
/usr/lib/nfs/statd
/usr/openwin/bin/rpc.ttdbserverd
/usr/bin/login
/usr/bin/ps
/usr/bin/inetd               ______________________________________
/usr/sbin/in.rlogind    ""i'd look around a bit more because there is more""
/usr/sbin/login >        is it has patched ps it would have patched netstat

                                 ------------------------------------

Hello.

For starters it was not a "HACKER" it was a cracker or script kiddie,also a
typical crack mostlikely he used nlock eploit against youre system then
continued to copy or upload the rootkit check you ftp logs and bsh history
he probably enterd all his commads in a bsh shell,also there are alot of nasty
rootkits around the one he used is very similar to lrk4 (comes with
sniffers ect),what it does is trojan  all you valuableservices like the ps
netstat ect to make you system appear it is fine when it is not.The  DoS was
just a simple and very easy to obtain deamon or tool it was mostlikely started
from another machine because once a system is infected it can interact with
other systems infected to launch a much larger scale atttack,i think the tool
used was similar to blitznet. or something similar not trinoo !!! or they would
have probably crashed.

FIX
use  a firewall/router  that filters  ports 111  _and_ 32771 and
      configure it so that it rejects all packets coming from  outside
      with a  source ip  which is  inside your  network. And offcourse
       keep up with all the latest security patches and scan youre network
       regualry.For a scanner Nessus nice gui and fast kinda easy to install
       but i very big program and offcourse it is free.........

Also i think do to the fact of the attackers lame ethics the machine was
probably easy exploited "some lack of security" i strongy recommend applying a
simply program patch that goes by the name of BASTILLE it will stop this level
of intruder 70 to 100% of the time get it at www.securify.com/packetstorm.
\
Not shure if that helped.
Oh well. some simlple info on a crackers profile of attack.
"Simple standards stop simple minds"
"Advanced standerds stop simple and smart minds not Advanced minds"
"Advanced minds stop Advanced standareds"

Current thread:

Re: probe backs? was Re: [INCIDENTS] Korea Rob Quinn (Jan 31)
- <Possible follow-ups>
- Re: probe backs? was Re: [INCIDENTS] Korea Matthew Pemble (Feb 01)
  - Re: probe backs? was Re: [INCIDENTS] Korea Pavel Kankovsky (Feb 02)
  - DoS Trojan on Solaris Roderick Padilla (Feb 02)
    - Re: DoS Trojan on Solaris Ross Mueller (Feb 02)
    - Re: DoS Trojan on Solaris David Brumley (Feb 02)
    - Interesting Probe Rick Magill (Feb 03)
    - Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
    - Re: DoS Trojan on Solaris Data_surge (Feb 04)
    - Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
    - Compromised... Steve Logan (Feb 07)
    - Re: Compromised... David Bernick (Feb 07)
    - Re: Compromised... Japheth (Feb 07)
    - Re: Compromised... Simon Britnell (Feb 08)
    - Re: Compromised... technot (Feb 09)
    - Re: Compromised... Sebastian (Feb 09)
    - Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
    - Question about event log events JF Prieur (Feb 08)
    - Re: Compromised... Jose Nazario (Feb 07)

(Thread continues...)