Re: httpd and sunrpc probes from 'sunos 5.6' machines

[Brad Doctor <bdoctor () PS-AX COM>]

I've also seen much of the same -- I submitted this to the list over the
weekend, but it apparently never made it there.

Basically, there is a worm process much like Lion, etc. that after compromising
the machine, starts generating IP addresses and going after more.  The exploit
that is being used is some sort of sadmin exploit.  A tell-tale sign is a
root shell open on port 600 (not functional however).  The exploit places it's
contents in /dev/cuc and goes to town with a perl script and a random number
generator.  It also creates a wide-open .rhosts for root.  It also starts
an inetd process with /tmp/.x that has one service, the root shell bound to
it, just like the lion stuff did ala "sh -i", however this shell has no IO
capabilities on Solaris, and is thus useless.  So, much like the other worms,
this one trudges on blindly after cracking a machine that was wide-open to
begin with.  I think the same group wrote this one as well due to it's
similarities in execution and methodology.  It is executing Unicode attacks,
with static HTML in the perl script, typical anti US stuff.

Moderator->Can this get posted to the list please?

-brad

> hi,
>
> during the past three days i've received both
> httpd and sunrpc scans originating from what seem
> to be a sunos 5.6 boxes, according to the motd.
>
> anyone else noticed the same? some worm rewriting
> linux motds or is there
> maybe something more alarming going on?