RE: Solaris hack

["Glenn Pitcher" <gpitcher () san rr com>]

Well, the reality is, there really isn't any way of knowing just what to
expect.  Especially since this is a production box, my suggestion is to
bring the system down *as soon as possible* (moan, sigh) fix the problem
(while keeping track of the downtime) then go to management and say - this
is why we need to purchase/upgrade our security systems, look at the
production time we've lost. Yes, its going to be a real headache and people
are going to loose sleep but this is the price we pay for being SysAdmins.

-------
Glenn Pitcher
System Administration / Security / Networking
(858) 674-1847 (home)
(858) 243-3433 (cell)
gpitcher () san rr com



-----Original Message-----
From: Jamie Lawrence [mailto:jal () abulafia com]
Sent: Thursday, February 21, 2002 8:05 PM
To: incidents () securityfocus com
Subject: Solaris hack


I'm helping with a Solaris 8 box that was rooted.

The attacker replaced the /usr/bin/mc680*0 binaries,
so many of the usual administrative commands are
misbehaving. Is this from a rootkit anyone has seen
before?

This is a production box, and has to stay up for a while
yet (the usual bad sort of administrative neglect), so reinstalling
from scratch is not an approach I can take this minute.

I'm just looking for pointers on what I can expect, so  I can
hopefully temporarily plug some holes until the box can
be rebuilt.

TIA.

-j


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com