Security Incidents mailing list archives
Re: Anybody recognize this Solaris compromise?
From: Tim <tim-forensics () sentinelchicken org>
Date: Fri, 13 Apr 2007 17:43:13 -0400
Were you/they running telnetd as a service in February? See http://www.kb.cert.org/vuls/id/881872 Reformat and re-install? It's the only way to be sure you've cleaned it properly. Probably cheaper than a thorough forensic examination as well.
Ditto. If you've got a full capture of the outgoing telnet sessions (the ones that could connect), it might be pretty easy to confirm this is the vuln the attacker has been exploiting. tim ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: "How a Hacker Launches a SQL Injection Attack!"- SPI Dynamics White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CiNE --------------------------------------------------------------------------
Current thread:
- Anybody recognize this Solaris compromise? David Gillett (Apr 13)
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 13)
- Re: Anybody recognize this Solaris compromise? Tim (Apr 13)
- Re: Anybody recognize this Solaris compromise? Matthew T. Fata (Apr 13)
- Message not available
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 18)
- Re: Anybody recognize this Solaris compromise? Jamie Riden (Apr 13)
- Re: Anybody recognize this Solaris compromise? Axel Pettinger (Apr 13)