Re: DoS Trojan on Solaris

[rmueller () UU NET (Ross Mueller)]

> > It was discovered that the following programs had trojan replacements:
> > /usr/lib/nfs/lockd
> > /usr/lib/nfs/statd
> > /usr/openwin/bin/rpc.ttdbserverd
> > /usr/bin/login
> > /usr/bin/ps
> > /usr/bin/inetd               ______________________________________
> > /usr/sbin/in.rlogind    ""i'd look around a bit more because there is more""
> > /usr/sbin/login >        is it has patched ps it would have patched netstat
>                                  ------------------------------------
>
>
> Hello.
>
> For starters it was not a "HACKER" it was a cracker or script kiddie,also a
> typical crack mostlikely he used nlock eploit against youre system then
> continued to copy or upload the rootkit check you ftp logs and bsh history
> he probably enterd all his commads in a bsh shell,also there are alot of nasty
> rootkits around the one he used is very similar to lrk4 (comes with
> sniffers ect),what it does is trojan  all you valuableservices like the ps
> netstat ect to make you system appear it is fine when it is not.The  DoS was

the solaris root default shell is /bin/sh not bash, most solaris sys
admins don't chnage this. so most likely there won't be a .bash_history
file to look into. and even script kids know how to remove log files.

what leads you to believe that it was nlockd that was
exploited? most likely it was ttdb/statusd or cmsd.

for starters, you should do your research, this was a solaris machine that
was hacked, so it wouldn't be using lrk4.

> just a simple and very easy to obtain deamon or tool it was mostlikely started
> from another machine because once a system is infected it can interact with
> other systems infected to launch a much larger scale atttack,i think the tool
> used was similar to blitznet. or something similar not trinoo !!! or they would
> have probably crashed.
>
> FIX
> use  a firewall/router  that filters  ports 111  _and_ 32771 and
>       configure it so that it rejects all packets coming from  outside
>       with a  source ip  which is  inside your  network. And offcourse
>        keep up with all the latest security patches and scan youre network
>        regualry.For a scanner Nessus nice gui and fast kinda easy to install
>        but i very big program and offcourse it is free.........

filtering isn't the best solution for everyone.... i would recommend
carefully auditing which system services you need to be running (including
rpcs). and as stated above, keep up with security patches. firewalling  is
a solution for some, but not for all.

> Also i think do to the fact of the attackers lame ethics the machine was
> probably easy exploited "some lack of security" i strongy recommend applying a
> simply program patch that goes by the name of BASTILLE it will stop this level
> of intruder 70 to 100% of the time get it at www.securify.com/packetstorm.

bastille is for linux. once again, do your reading.

> Not shure if that helped.
> Oh well. some simlple info on a crackers profile of attack.
> "Simple standards stop simple minds"
> "Advanced standerds stop simple and smart minds not Advanced minds"
> "Advanced minds stop Advanced standareds"