Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /tmp/bob on compromised system

From: Adam Pendleton <APendleton () VGSINC COM>
Date: Mon, 24 Jul 2000 21:56:23 -0400
I seem to recall that the /tmp/bob file is part of the ingreslock exploit.
Check out the CERT Incident Note IN-99-04 and related CERT stuff for more
information.


Adam H. Pendleton
Security Engineer
VGS, Inc.
Fairfax, Virginia


-----Original Message-----
From: Russell Fulton [mailto:r.fulton () AUCKLAND AC NZ]
Sent: Monday, July 24, 2000 18:35
To: INCIDENTS () SECURITYFOCUS COM
Subject: /tmp/bob on compromised system


Greetings,
          We recently had a solaris 7 box compromised.  We *think* that
the crackers got initial access through the oracle account which has
the default password :-(.

Network logs show a finger to the box (which sent 3 chars and returned
600, presumably the list of accounts).  This was followed a few seconds
later by a telnet session.  Logs were destroyed so we can not say with
any certainty which account was accessed.

The compromise was discovered when the admin noticed some odd files in
/tmp and unfortunately he deleted them.  One of the files he remembers
deleting was /tmp/bob, now that rings a bell in my memory but I can't
find any reference to it on securityfocus or anywhere else.  I assume
that this is a file left from a local elevation of priviledge attack
but I would like confirmation of that.

Cheers, Russell.
Previous By Date Next
Previous By Thread Next

Current thread: