Security Incidents mailing list archives
Re: /tmp/bob on compromised system
From: Security <security () ARC COM>
Date: Tue, 25 Jul 2000 20:48:22 -0400
I agree but I think it is sadmind. ttdbserverd, rpc.cmsd, rpc,statd were supposedly fixed in Solaris 2.7 or before. We have seen successful sadmind attacks on 2.7 boxes not ttdbserverd, etc. ------------------------------------------------------------------ Bob Todd Advanced Research Corporation http://www-arc.com ----- Original Message ----- From: "Matt Merhar" <grid_goolah () HOTMAIL COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, July 25, 2000 12:37 AM Subject: Re: /tmp/bob on compromised system
/tmp/bob is a sign that you've been compromised through known rpc
exploits,
such as ttdb/cmsd/statd, and the likes. /tmp/bob is used as the configuration file for the inetd process the exploit starts, which usually puts a bindshell on ingreslock (port 1524)From: Russell Fulton <r.fulton () AUCKLAND AC NZ> Reply-To: r.fulton () AUCKLAND AC NZ To: INCIDENTS () SECURITYFOCUS COM Subject: /tmp/bob on compromised system Date: Tue, 25 Jul 2000 10:34:58 +1200 Greetings, We recently had a solaris 7 box compromised. We *think* that the crackers got initial access through the oracle account which has the default password :-(. Network logs show a finger to the box (which sent 3 chars and returned 600, presumably the list of accounts). This was followed a few seconds later by a telnet session. Logs were destroyed so we can not say with any certainty which account was accessed. The compromise was discovered when the admin noticed some odd files in /tmp and unfortunately he deleted them. One of the files he remembers deleting was /tmp/bob, now that rings a bell in my memory but I can't find any reference to it on securityfocus or anywhere else. I assume that this is a file left from a local elevation of priviledge attack but I would like confirmation of that. Cheers, Russell.________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- /tmp/bob on compromised system Russell Fulton (Jul 24)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)
- Protect rpc.statd by tcp wrapper? (was Re: /tmp/bob on compromised system Ralf G. R. Bergs (Jul 27)
- Re: /tmp/bob on compromised system Joseph Pingenot (Jul 25)
- Re: /tmp/bob on compromised system Fredrik Ostergren (Jul 26)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 27)
- <Possible follow-ups>
- Re: /tmp/bob on compromised system Matt Merhar (Jul 25)
- Re: /tmp/bob on compromised system Security (Jul 26)
- Re: /tmp/bob on compromised system Adam Pendleton (Jul 25)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Granquist, Lamont (Jul 27)
- Re: /tmp/bob on compromised system Russell Fulton (Jul 28)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)
- Re: /tmp/bob on compromised system Jens Oeser (Jul 25)
- Re: /tmp/bob on compromised system Lynch Sean (Jul 26)