Re: /tmp/bob on compromised system

["Jeffrey F. Lawhorn" <jeffl () wanet net>]

In message <SIMEON.10007251058.J21192 () bluebottle itss>, Russell Fulton said:
> Greetings,
>         We recently had a solaris 7 box compromised.  We *think* that
> the crackers got initial access through the oracle account which has
> the default password :-(.
>
> Network logs show a finger to the box (which sent 3 chars and returned
> 600, presumably the list of accounts).  This was followed a few seconds
> later by a telnet session.  Logs were destroyed so we can not say with
> any certainty which account was accessed.
>
> The compromise was discovered when the admin noticed some odd files in
> /tmp and unfortunately he deleted them.  One of the files he remembers
> deleting was /tmp/bob, now that rings a bell in my memory but I can't
> find any reference to it on securityfocus or anywhere else.  I assume
> that this is a file left from a local elevation of priviledge attack
> but I would like confirmation of that.

/tmp/bob is a finger print from a rpc.statd exploit.

Was rpc.statd running on the system?  If so I'd lay very good odds that was
how the system was compromised.

jeffl


--
Jeffrey F. Lawhorn                       |Internet Security Consulting
Software Design Associates, Inc.         |IDS Monitoring/Reporting
jeffl () wanet net       619-679-5900 voice |Expunge Intruders
http://www.wanet.net/ 619-679-2327 fax   |
Finger jeffl () wanet net for PGP Public Key.

Insist on Quality! WANet.Net is an ISP/C Member - http://www.ispc.org/

Attachment: _bin
Description: