Security Incidents mailing list archives
Re: Solaris hack
From: "Christopher X. Candreva" <chris () westnet com>
Date: Mon, 25 Feb 2002 10:58:14 -0500 (EST)
On Fri, 22 Feb 2002, Matt K. wrote:
They most likely got in via dtspcd or ttdbserver. Run strings on /usr/ucb/ps and see if you see 'sexygurl' near the end. Also, check the dates on files such as /bin/ls. The rookit doesn't seem to change the
Also these: -r-sr-xr-x 1 root root 17156 Jan 14 20:56 m68k -rwxr-xr-x 1 root root 301632 Jan 14 20:56 mc68000 -r-xr-xr-x 1 root root 9296 Jan 14 20:56 mc68010 -r-sr-xr-x 1 root root 36520 Jan 14 20:56 mc68020 -r-xr-xr-x 1 root root 20064 Jan 14 20:56 mc68030 -r-xr-sr-x 1 root root 55168 Jan 14 20:56 mc68040 -rwxr-xr-x 1 root root 558868 Jan 14 20:56 sshd2 -r-sr-sr-x 1 root root 101744 Jan 14 20:56 sun2 -r-sr-xr-x 1 root root 48028 Jan 14 20:56 sun3 -r-xr-xr-x 1 root root 9028 Jan 14 20:56 sun3x -r-sr-xr-x 1 root root 29200 Jan 14 20:56 u370 -r-xr-xr-x 1 root root 5256 Jan 14 20:57 w (cut/paste from a machine I fixed 2 weeks ago. Dates are when our machine got hacked, not relavant for you). Specificly, u370 was the real login, and login was replaced. They replace the program that ID cpu types that will never be run. ========================================================== Chris Candreva -- chris () westnet com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: strange telnet behavior, (continued)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
- Re: strange telnet behavior Vladimir Ivaschenko (Feb 20)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior tfm (Feb 20)
- Solaris hack Jamie Lawrence (Feb 22)
- RE: Solaris hack Glenn Pitcher (Feb 24)
- strange udp packets Jason Robertson (Feb 24)
- Re: Solaris hack Matt K. (Feb 24)
- Re: Solaris hack Christopher X. Candreva (Feb 25)
- Re: Solaris hack Steve Huston (Feb 28)
- Solaris hack Jamie Lawrence (Feb 22)
- Re: Solaris hack Valdis . Kletnieks (Feb 24)
- Re: Solaris hack Eric Brandwine (Feb 25)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
- Re: strange telnet behavior Raistlin (Feb 23)