Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /tmp/bob on compromised system

From: Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>
Date: Wed, 26 Jul 2000 12:22:51 -0000
Greetings,
          We recently had a solaris 7 box compromised.  We 
*think* that
the crackers got initial access through the oracle account 
which has
the default password :-(.

Network logs show a finger to the box (which sent 3 chars 
and returned
600, presumably the list of accounts).  This was followed a 
few seconds
later by a telnet session.  Logs were destroyed so we can 
not say with
any certainty which account was accessed.

The compromise was discovered when the admin noticed some 
odd files in
/tmp and unfortunately he deleted them.  One of the files 
he remembers
deleting was /tmp/bob, now that rings a bell in my memory 
but I can't
find any reference to it on securityfocus or anywhere 
else.  I assume
that this is a file left from a local elevation of 
priviledge attack
but I would like confirmation of that.

Cheers, Russell.


Well, all the stuff about rpc.statd is bullshit. First of 
all, rpc.statd isn't vurnable in SunOS 5.7. The attacker 
was exploiting rpc.cmsd. 100% sure. Contact me for more 
info at: fredrik.ostergren () freebox com.

/ Fredrik.
Previous By Date Next
Previous By Thread Next

Current thread: