Security Incidents mailing list archives
Re: /tmp/bob on compromised system
From: Jens Oeser <Jens.Oeser () CONNECTOR DE>
Date: Tue, 25 Jul 2000 10:34:55 +0200
Hi! Well "/tmp/bob" is just an inetd.conf like file which is created by some RPC Exploits from Horizon. A second inetd is launched and reads that file to start a bindshell which mostly binds to port 1524 (ingreslock). Maybe that was a cmsd exploit, take a look to /var/spool/calendar ... maybe there still is a file "callog.root.SOMETHING" ... look at the end of that file, the "Author" entry could be your attacker. Note that a normal "root" user creates a "callog.root.SOMETHING" file also. Maybe you should think about proper packetfiltering, if that attack came from the internet. Filter out the portmapper AND the RPC Ports ... filtering only portmap does not make much sense, everytime a RPC Service is called from within the network, it is available for every bad guy in the inet. regards, Jens Oeser
-----Ursprüngliche Nachricht----- Von: Russell Fulton [mailto:r.fulton () AUCKLAND AC NZ] Gesendet: Dienstag, 25. Juli 2000 00:35 An: INCIDENTS () SECURITYFOCUS COM Betreff: /tmp/bob on compromised system Greetings, We recently had a solaris 7 box compromised. We *think* that the crackers got initial access through the oracle account which has the default password :-(. Network logs show a finger to the box (which sent 3 chars and returned 600, presumably the list of accounts). This was followed a few seconds later by a telnet session. Logs were destroyed so we can not say with any certainty which account was accessed. The compromise was discovered when the admin noticed some odd files in /tmp and unfortunately he deleted them. One of the files he remembers deleting was /tmp/bob, now that rings a bell in my memory but I can't find any reference to it on securityfocus or anywhere else. I assume that this is a file left from a local elevation of priviledge attack but I would like confirmation of that. Cheers, Russell.
Current thread:
- Protect rpc.statd by tcp wrapper? (was Re: /tmp/bob on compromised system, (continued)
- Protect rpc.statd by tcp wrapper? (was Re: /tmp/bob on compromised system Ralf G. R. Bergs (Jul 27)
- Re: /tmp/bob on compromised system Joseph Pingenot (Jul 25)
- Re: /tmp/bob on compromised system Fredrik Ostergren (Jul 26)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 27)
- Re: /tmp/bob on compromised system Matt Merhar (Jul 25)
- Re: /tmp/bob on compromised system Security (Jul 26)
- Re: /tmp/bob on compromised system Adam Pendleton (Jul 25)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Granquist, Lamont (Jul 27)
- Re: /tmp/bob on compromised system Russell Fulton (Jul 28)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Jens Oeser (Jul 25)
- Re: /tmp/bob on compromised system Lynch Sean (Jul 26)