NSDAP Solaris rootkit

[SecLists <lists () secure stargate net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All:

Just saw a Solaris rootkit that was installed apparently, after a
successful compromise of the dtspcd service on a Solaris 7 box...
I had never seen it before and for those that also haven't, it installed
in /usr/lib/vold/nsdap which isnt seen with regular ls... /dev/null's all
the logs, etc.
There are a few executable shell scripts in there... There is also a
/etc/init.d/network added with the following contents:
/usr/bin/sshd2 -q
This sshd runs on port 17811...
Too much to cover in one email... replaces the normal ps, netstat, etc...

I can send a copy of the rootkit if there are enough people out there that
haven't seen this...

thanks,
shawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8a+ue3Qw8DHute6kRAtbjAJ9AIqFuKPNGLKGKmJ3TRUELRaqgDgCdF95X
m6aM2pprjmHk67/aFUeTSM0=
=FHgr
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com