Re: Recent Solaris 9 compromises

[Scott Weeks <sweeks () SANDIEGO EDU>]

On Tue, 9 Mar 2004, Mike Iglesias wrote:

:  We had some Solaris 9 systems compromised in the last week from

:    Connection to an IRC server on port 6667 on the target system.
:
:  Has anyone else seen anything like this?  Unfortunately there are no
:  packet dumps or IDS logs of the attack so we can't tell how they got
:  in using telnet or /bin/login.


How about letting the machine do its thing for a little bit and find the
IRC servers and channel they're contacting. (tcpdump or sniffer)  I see a
lot of this when devious folks from "out in the wild" compromise a machine
and turn it into a file server for distribution of music, games, and
everything else under the sun.  The computers go to the chatroom and
advertise what they have available and how to get it.  It's also a good
place to look for other IPs you own...  ;-)

scott

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.