Security Incidents mailing list archives
Solaris hack
From: Jamie Lawrence <jal () abulafia com>
Date: Thu, 21 Feb 2002 20:05:06 -0800
I'm helping with a Solaris 8 box that was rooted. The attacker replaced the /usr/bin/mc680*0 binaries, so many of the usual administrative commands are misbehaving. Is this from a rootkit anyone has seen before? This is a production box, and has to stay up for a while yet (the usual bad sort of administrative neglect), so reinstalling from scratch is not an approach I can take this minute. I'm just looking for pointers on what I can expect, so I can hopefully temporarily plug some holes until the box can be rebuilt. TIA. -j ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- strange telnet behavior Vladimir Ivaschenko (Feb 18)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
- Re: strange telnet behavior Vladimir Ivaschenko (Feb 20)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior tfm (Feb 20)
- Solaris hack Jamie Lawrence (Feb 22)
- RE: Solaris hack Glenn Pitcher (Feb 24)
- strange udp packets Jason Robertson (Feb 24)
- Re: Solaris hack Matt K. (Feb 24)
- Re: Solaris hack Christopher X. Candreva (Feb 25)
- Re: Solaris hack Steve Huston (Feb 28)
- Solaris hack Jamie Lawrence (Feb 22)
- Re: Solaris hack Valdis . Kletnieks (Feb 24)
- Re: Solaris hack Eric Brandwine (Feb 25)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
- Re: strange telnet behavior Raistlin (Feb 23)
- <Possible follow-ups>
- RE: strange telnet behavior Snow, Corey (Feb 24)