Security Incidents mailing list archives
Re: backdoor
From: steveg <steveg () stevegcentral com>
Date: Sun, 23 Jun 2002 01:09:41 -0700 (PDT)
I am not a Sun expert by any means but this doesn't look like a compromise to me ..
1. %nmap foo .... 898/tcp open unknown
Standard port for the SUN Management Console server.
3. %netstat ... 30001303a88 stream-ord 3000108acd8 00000000 /tmp/smc898/cmdsock
This is the directory that smc uses to store PID etc... (check you should have a boot.pid file in there.)
4. % /usr/local/bin/lsof -U java 436 root 25u unix 105,25 0t0 35169 /devices/pseudo/tl@0:ticots-> /tmp/smc898/cmdsock (0x30001303a88) (Vnode=0x3000108acd8)
Again I think that's pretty standard for SUN services being "tied" to pseudo devices.
Ok, What's happening?, I am very confused, the inode number fsol show points to a direcroty and a character device. How can i stop that listening binary?
this is a service that should be started by smcboot check your /etc/rc#.d/ directory (which ever runlvl you are in). of course if this is not a sun box then this is a little odd indeed... again not an expert with sun but this looks like a normal sun service. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
- Re: backdoor Jonas M Luster (Jun 23)
- Re: backdoor Kyle R. Hofmann (Jun 24)
- Message not available
- Re: backdoor Jonas M Luster (Jun 24)
- Re: backdoor Hugo van der Kooij (Jun 26)
- Re: backdoor Greg A. Woods (Jun 26)
- Re: backdoor Jonas M Luster (Jun 23)
- Message not available
- Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
- RE: [incidents] Re: backdoor Don Weber (Jun 26)
- Re: backdoor steveg (Jun 23)