Security Incidents mailing list archives
FW: hack indications (fwd)
From: Steve Mancini <smancini () ICHIPS INTEL COM>
Date: Wed, 17 Jan 2001 15:11:51 -0800
-----Original Message----- From: Byron Rendar [mailto:byronr () mcmurdo oci pcc edu] Sent: Wednesday, January 17, 2001 12:37 PM Subject: hack indications Hi, Does any of this indicate how/what happened? FIRST My logs had entries like the following about the time I think the breakin occurred. Jan 14 13:06:07 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error Jan 14 13:06:47 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error Jan 14 13:07:15 mcmurdo last message repeated 1 time Jan 14 13:07:49 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal Instruction Jan 14 13:08:09 mcmurdo last message repeated 1 time Jan 14 13:08:19 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error Jan 14 13:10:05 mcmurdo last message repeated 5 times Jan 14 13:10:16 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal Instruction Jan 14 13:10:24 mcmurdo last message repeated 1 time Jan 14 13:10:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already in use Jan 14 13:10:27 mcmurdo last message repeated 1 time Jan 14 13:10:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already in use Jan 14 13:10:57 mcmurdo last message repeated 2 times Jan 14 13:11:23 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal Instruction Jan 14 13:11:31 mcmurdo last message repeated 1 time Jan 14 13:11:32 mcmurdo /usr/dt/bin/rpc.ttdbserverd[2708]: _Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting... Jan 14 13:11:33 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped Jan 14 13:11:34 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3548]: iserase(): 78 Jan 14 13:11:35 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3548]: _Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting... Jan 14 13:11:35 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped Jan 14 13:11:37 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3549]: iserase(): 78 Jan 14 13:20:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already in use Jan 14 13:20:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already in use Jan 14 13:30:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already in use Jan 14 13:30:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already in use Jan 14 13:40:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already in use Jan 14 13:40:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already in use Jan 14 13:46:58 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd: Killed Jan 14 20:30:01 mcmurdo telnetd[5002]: ttloop: peer died: Bad file number SECOND I found a binary /sbin/xlogin that was new. THIRD I found a directory in /dev/pts called 01 modified 1/14/01. It contained: /diskt2/home/byronr/preserve/01: bin cleaner crypt l3 patcher pg su-backup uconf.inv utime /diskt2/home/byronr/preserve/01/bin: du find ls netstat passwd ping psr su Patcher looks like: #!/bin/sh VER=`uname -r` cd /tmp # ./install_cluster -nosave -q # Ok.. so if theyre not lame, and running this on SunOS like they should... case $VER in 5.5) # 5.5 patchkit replaces su, ps, ping, login cp /usr/bin/su /dev/pts/01/55su cp /usr/bin/ps /dev/pts/01/55ps cp /usr/sbin/ping /dev/pts/01/55ping cp /usr/bin/login /dev/pts/01/55login etc. ----- End of forwarded message from Mancini, Steve -----
Current thread:
- FW: hack indications (fwd) Steve Mancini (Jan 17)