Educause Security Discussion mailing list archives
Re: Recent Solaris 9 compromises
From: Scott Weeks <sweeks () SANDIEGO EDU>
Date: Tue, 9 Mar 2004 14:36:32 -0800
On Tue, 9 Mar 2004, Mike Iglesias wrote: : We had some Solaris 9 systems compromised in the last week from : Connection to an IRC server on port 6667 on the target system. : : Has anyone else seen anything like this? Unfortunately there are no : packet dumps or IDS logs of the attack so we can't tell how they got : in using telnet or /bin/login. How about letting the machine do its thing for a little bit and find the IRC servers and channel they're contacting. (tcpdump or sniffer) I see a lot of this when devious folks from "out in the wild" compromise a machine and turn it into a file server for distribution of music, games, and everything else under the sun. The computers go to the chatroom and advertise what they have available and how to get it. It's also a good place to look for other IPs you own... ;-) scott ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Recent Solaris 9 compromises Mike Iglesias (Mar 09)
- <Possible follow-ups>
- Re: Recent Solaris 9 compromises Scott Weeks (Mar 09)