Security Incidents mailing list archives
/tmp/bob on compromised system
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Tue, 25 Jul 2000 10:34:58 +1200
Greetings,
We recently had a solaris 7 box compromised. We *think* that
the crackers got initial access through the oracle account which has
the default password :-(.
Network logs show a finger to the box (which sent 3 chars and returned
600, presumably the list of accounts). This was followed a few seconds
later by a telnet session. Logs were destroyed so we can not say with
any certainty which account was accessed.
The compromise was discovered when the admin noticed some odd files in
/tmp and unfortunately he deleted them. One of the files he remembers
deleting was /tmp/bob, now that rings a bell in my memory but I can't
find any reference to it on securityfocus or anywhere else. I assume
that this is a file left from a local elevation of priviledge attack
but I would like confirmation of that.
Cheers, Russell.
Current thread:
- /tmp/bob on compromised system Russell Fulton (Jul 24)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)
- Protect rpc.statd by tcp wrapper? (was Re: /tmp/bob on compromised system Ralf G. R. Bergs (Jul 27)
- Re: /tmp/bob on compromised system Joseph Pingenot (Jul 25)
- Re: /tmp/bob on compromised system Fredrik Ostergren (Jul 26)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 27)
- <Possible follow-ups>
- Re: /tmp/bob on compromised system Matt Merhar (Jul 25)
- Re: /tmp/bob on compromised system Security (Jul 26)
- Re: /tmp/bob on compromised system Adam Pendleton (Jul 25)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Granquist, Lamont (Jul 27)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
(Thread continues...)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)