Security Incidents mailing list archives
Re: Solaris hack
From: "Matt K." <matt () mail ucf edu>
Date: Fri, 22 Feb 2002 22:42:03 -0500
They most likely got in via dtspcd or ttdbserver. Run strings on /usr/ucb/ps and see if you see 'sexygurl' near the end. Also, check the dates on files such as /bin/ls. The rookit doesn't seem to change the dates on the files it changes, so they are easy to detect. The rootkit also edits /etc/init.d/network and starts an sshd2 daemon at the end. This is one of the ways the rooters get into your machine later on. If you think you have the rootkit I am talking about, email me directly and I will get you a list of the files to replace, etc. You should consider disabling most of the stuff in /etc/inetd.conf (once you replace it with the original, for it was most likely changed) and patching your system to the latest revisions. The dtspcd thing is pretty hot right now from my standpoint as I see many scans daily for it. Matt On Thu, Feb 21, 2002 at 08:05:06PM -0800, Jamie Lawrence wrote:
I'm helping with a Solaris 8 box that was rooted. The attacker replaced the /usr/bin/mc680*0 binaries, so many of the usual administrative commands are misbehaving. Is this from a rootkit anyone has seen before? This is a production box, and has to stay up for a while yet (the usual bad sort of administrative neglect), so reinstalling from scratch is not an approach I can take this minute. I'm just looking for pointers on what I can expect, so I can hopefully temporarily plug some holes until the box can be rebuilt. TIA. -j ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Matt Kassawara Unix Computing Support / Security Department of Computer Science and Electrical Engineering University of Central Florida 407.823.3018 matt () mail ucf edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- strange telnet behavior Vladimir Ivaschenko (Feb 18)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
- Re: strange telnet behavior Vladimir Ivaschenko (Feb 20)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior tfm (Feb 20)
- Solaris hack Jamie Lawrence (Feb 22)
- RE: Solaris hack Glenn Pitcher (Feb 24)
- strange udp packets Jason Robertson (Feb 24)
- Re: Solaris hack Matt K. (Feb 24)
- Re: Solaris hack Christopher X. Candreva (Feb 25)
- Re: Solaris hack Steve Huston (Feb 28)
- Solaris hack Jamie Lawrence (Feb 22)
- Re: Solaris hack Valdis . Kletnieks (Feb 24)
- Re: Solaris hack Eric Brandwine (Feb 25)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
- Re: strange telnet behavior Raistlin (Feb 23)
- <Possible follow-ups>
- RE: strange telnet behavior Snow, Corey (Feb 24)