Re: /tmp/bob on compromised system

[Jens Oeser <Jens.Oeser () CONNECTOR DE>]

Hi!

Well "/tmp/bob" is just an inetd.conf like file which is created by some RPC
Exploits from Horizon. A second inetd is launched and reads that file to
start a bindshell which mostly binds to port 1524 (ingreslock). Maybe that
was a cmsd exploit, take a look to /var/spool/calendar ...  maybe there
still is a file "callog.root.SOMETHING" ... look at the end of that file,
the "Author" entry could be your attacker. Note that a normal "root" user
creates a "callog.root.SOMETHING" file also.
Maybe you should think about proper packetfiltering, if that attack came
from the internet. Filter out the portmapper AND the RPC Ports ... filtering
only portmap does not make much sense, everytime a RPC Service is called
from within the network, it is available for every bad guy in the inet.

regards,
Jens Oeser


 

> -----Ursprüngliche Nachricht-----
> Von: Russell Fulton [mailto:r.fulton () AUCKLAND AC NZ]
> Gesendet: Dienstag, 25. Juli 2000 00:35
> An: INCIDENTS () SECURITYFOCUS COM
> Betreff: /tmp/bob on compromised system
>
>
> Greetings,
>         We recently had a solaris 7 box compromised.  We *think* that
> the crackers got initial access through the oracle account which has
> the default password :-(.
>
> Network logs show a finger to the box (which sent 3 chars and returned
> 600, presumably the list of accounts).  This was followed a 
> few seconds
> later by a telnet session.  Logs were destroyed so we can not say with
> any certainty which account was accessed.
>
> The compromise was discovered when the admin noticed some odd files in
> /tmp and unfortunately he deleted them.  One of the files he remembers
> deleting was /tmp/bob, now that rings a bell in my memory but I can't
> find any reference to it on securityfocus or anywhere else.  I assume
> that this is a file left from a local elevation of priviledge attack
> but I would like confirmation of that.
>
> Cheers, Russell.