Security Incidents mailing list archives
Re: /tmp/bob on compromised system
From: "Jeffrey F. Lawhorn" <jeffl () wanet net>
Date: Mon, 24 Jul 2000 21:25:14 -0700
In message <SIMEON.10007251058.J21192 () bluebottle itss>, Russell Fulton said:
Greetings, We recently had a solaris 7 box compromised. We *think* that the crackers got initial access through the oracle account which has the default password :-(. Network logs show a finger to the box (which sent 3 chars and returned 600, presumably the list of accounts). This was followed a few seconds later by a telnet session. Logs were destroyed so we can not say with any certainty which account was accessed. The compromise was discovered when the admin noticed some odd files in /tmp and unfortunately he deleted them. One of the files he remembers deleting was /tmp/bob, now that rings a bell in my memory but I can't find any reference to it on securityfocus or anywhere else. I assume that this is a file left from a local elevation of priviledge attack but I would like confirmation of that.
/tmp/bob is a finger print from a rpc.statd exploit. Was rpc.statd running on the system? If so I'd lay very good odds that was how the system was compromised. jeffl -- Jeffrey F. Lawhorn |Internet Security Consulting Software Design Associates, Inc. |IDS Monitoring/Reporting jeffl () wanet net 619-679-5900 voice |Expunge Intruders http://www.wanet.net/ 619-679-2327 fax | Finger jeffl () wanet net for PGP Public Key. Insist on Quality! WANet.Net is an ISP/C Member - http://www.ispc.org/
Attachment:
_bin
Description:
Current thread:
- /tmp/bob on compromised system Russell Fulton (Jul 24)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)
- Protect rpc.statd by tcp wrapper? (was Re: /tmp/bob on compromised system Ralf G. R. Bergs (Jul 27)
- Re: /tmp/bob on compromised system Joseph Pingenot (Jul 25)
- Re: /tmp/bob on compromised system Fredrik Ostergren (Jul 26)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 27)
- <Possible follow-ups>
- Re: /tmp/bob on compromised system Matt Merhar (Jul 25)
- Re: /tmp/bob on compromised system Security (Jul 26)
- Re: /tmp/bob on compromised system Adam Pendleton (Jul 25)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Granquist, Lamont (Jul 27)
- Re: /tmp/bob on compromised system Russell Fulton (Jul 28)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)