Security Incidents mailing list archives
Re: Anybody recognize this Solaris compromise?
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Fri, 13 Apr 2007 21:50:41 +0100
Hi David, Were you/they running telnetd as a service in February? See http://www.kb.cert.org/vuls/id/881872 On 13/04/07, David Gillett <gillettdavid () fhda edu> wrote:
I've got a Solaris machine on my network that has acquired an unauthorized behaviour of unknown origin. Every night, from 1:10:30am until 6:00:30am, it tries to establish outbound telnet connections to addresses all over the Internet.
<snip>
The machine is running the SIRSI library application; it's possible that the vulnerability is associated with that and not generically with Solaris. We're not heavy Solaris users here, and so IT doesn't support that machine -- I'm trying to help our SIRSI admin pin down what's going on so they can determine how to identify and remove the culprit.
Reformat and re-install? It's the only way to be sure you've cleaned it properly. Probably cheaper than a thorough forensic examination as well. cheers, Jamie -- Jamie Riden, CISSP / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------- This list sponsored by: SPI DynamicsALERT: "How a Hacker Launches a SQL Injection Attack!"- SPI Dynamics White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CiNE --------------------------------------------------------------------------
Current thread:
- Anybody recognize this Solaris compromise? David Gillett (Apr 13)
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 13)
- Re: Anybody recognize this Solaris compromise? Tim (Apr 13)
- Re: Anybody recognize this Solaris compromise? Matthew T. Fata (Apr 13)
- Message not available
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 18)
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 13)
- Re: Anybody recognize this Solaris compromise? Axel Pettinger (Apr 13)