Security Incidents mailing list archives
Anybody recognize this Solaris compromise?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 13 Apr 2007 11:46:46 -0700
I've got a Solaris machine on my network that has acquired an unauthorized behaviour of unknown origin. Every night, from 1:10:30am until 6:00:30am, it tries to establish outbound telnet connections to addresses all over the Internet. The addresses appear to be random, although at any given moment the last octets of the targets seem to be the same, plus or minus 1. It rather looks as if there are multiple threads, each gradually incrementing the last octet in parallel with the others. I haven't yet determined if perhaps each thread has a constant set of the first three octets, or whether they're random with each attempt. When it succeeded in connecting to a few servers -- before I blocked outbound Telnet from that machine -- it went through the initial Telnet negotiation of parameters and terminal type, and then let the session expire, never attempting to log in. So it rather looks like the purpose is to build a database of reachable Telnet servers. I have not found anything yet that looks like an attempt to deliver that database or to collect it from outside. The regularity of the start and stop times suggests that it's running on autopilot. The machine is running the SIRSI library application; it's possible that the vulnerability is associated with that and not generically with Solaris. We're not heavy Solaris users here, and so IT doesn't support that machine -- I'm trying to help our SIRSI admin pin down what's going on so they can determine how to identify and remove the culprit. Also we don't know what other tricks it may have up its sleeve.... David Gillett ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: "How a Hacker Launches a SQL Injection Attack!"- SPI Dynamics White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CiNE --------------------------------------------------------------------------
Current thread:
- Anybody recognize this Solaris compromise? David Gillett (Apr 13)
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 13)
- Re: Anybody recognize this Solaris compromise? Tim (Apr 13)
- Re: Anybody recognize this Solaris compromise? Matthew T. Fata (Apr 13)
- Message not available
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 18)
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 13)
- Re: Anybody recognize this Solaris compromise? Axel Pettinger (Apr 13)