Security Incidents mailing list archives
Re: DoS Trojan on Solaris
From: Gn0 () DATASURGE COM (Data_surge)
Date: Sat, 5 Feb 2000 06:35:59 +1100
It was discovered that the following programs had trojan replacements: /usr/lib/nfs/lockd /usr/lib/nfs/statd /usr/openwin/bin/rpc.ttdbserverd /usr/bin/login /usr/bin/ps /usr/bin/inetd ______________________________________ /usr/sbin/in.rlogind ""i'd look around a bit more because there is more"" /usr/sbin/login > is it has patched ps it would have patched netstat
------------------------------------ Hello. For starters it was not a "HACKER" it was a cracker or script kiddie,also a typical crack mostlikely he used nlock eploit against youre system then continued to copy or upload the rootkit check you ftp logs and bsh history he probably enterd all his commads in a bsh shell,also there are alot of nasty rootkits around the one he used is very similar to lrk4 (comes with sniffers ect),what it does is trojan all you valuableservices like the ps netstat ect to make you system appear it is fine when it is not.The DoS was just a simple and very easy to obtain deamon or tool it was mostlikely started from another machine because once a system is infected it can interact with other systems infected to launch a much larger scale atttack,i think the tool used was similar to blitznet. or something similar not trinoo !!! or they would have probably crashed. FIX use a firewall/router that filters ports 111 _and_ 32771 and configure it so that it rejects all packets coming from outside with a source ip which is inside your network. And offcourse keep up with all the latest security patches and scan youre network regualry.For a scanner Nessus nice gui and fast kinda easy to install but i very big program and offcourse it is free......... Also i think do to the fact of the attackers lame ethics the machine was probably easy exploited "some lack of security" i strongy recommend applying a simply program patch that goes by the name of BASTILLE it will stop this level of intruder 70 to 100% of the time get it at www.securify.com/packetstorm. \ Not shure if that helped. Oh well. some simlple info on a crackers profile of attack. "Simple standards stop simple minds" "Advanced standerds stop simple and smart minds not Advanced minds" "Advanced minds stop Advanced standareds"
Current thread:
- Re: probe backs? was Re: [INCIDENTS] Korea Rob Quinn (Jan 31)
- <Possible follow-ups>
- Re: probe backs? was Re: [INCIDENTS] Korea Matthew Pemble (Feb 01)
- Re: probe backs? was Re: [INCIDENTS] Korea Pavel Kankovsky (Feb 02)
- DoS Trojan on Solaris Roderick Padilla (Feb 02)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 02)
- Re: DoS Trojan on Solaris David Brumley (Feb 02)
- Interesting Probe Rick Magill (Feb 03)
- Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
- Re: DoS Trojan on Solaris Data_surge (Feb 04)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
- Compromised... Steve Logan (Feb 07)
- Re: Compromised... David Bernick (Feb 07)
- Re: Compromised... Japheth (Feb 07)
- Re: Compromised... Simon Britnell (Feb 08)
- Re: Compromised... technot (Feb 09)
- Re: Compromised... Sebastian (Feb 09)
- Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
- Question about event log events JF Prieur (Feb 08)
- Re: Compromised... Jose Nazario (Feb 07)