Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /tmp/bob on compromised system

From: Matt Merhar <grid_goolah () HOTMAIL COM>
Date: Tue, 25 Jul 2000 00:37:25 EDT
/tmp/bob is a sign that you've been compromised through known rpc exploits,
such as ttdb/cmsd/statd, and the likes. /tmp/bob is used as the
configuration file for the inetd process the exploit starts, which usually
puts a bindshell on ingreslock (port 1524)



From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Reply-To: r.fulton () AUCKLAND AC NZ
To: INCIDENTS () SECURITYFOCUS COM
Subject: /tmp/bob on compromised system
Date: Tue, 25 Jul 2000 10:34:58 +1200

Greetings,
          We recently had a solaris 7 box compromised.  We *think* that
the crackers got initial access through the oracle account which has
the default password :-(.

Network logs show a finger to the box (which sent 3 chars and returned
600, presumably the list of accounts).  This was followed a few seconds
later by a telnet session.  Logs were destroyed so we can not say with
any certainty which account was accessed.

The compromise was discovered when the admin noticed some odd files in
/tmp and unfortunately he deleted them.  One of the files he remembers
deleting was /tmp/bob, now that rings a bell in my memory but I can't
find any reference to it on securityfocus or anywhere else.  I assume
that this is a file left from a local elevation of priviledge attack
but I would like confirmation of that.

Cheers, Russell.


________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: