FW: hack indications (fwd)

[Steve Mancini <smancini () ICHIPS INTEL COM>]

-----Original Message-----
From: Byron Rendar [mailto:byronr () mcmurdo oci pcc edu]
Sent: Wednesday, January 17, 2001 12:37 PM
Subject: hack indications


Hi,

Does any of this indicate how/what happened?

FIRST
My logs had entries like the following about the time
I think the breakin occurred.


Jan 14 13:06:07 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error
Jan 14 13:06:47 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error
Jan 14 13:07:15 mcmurdo last message repeated 1 time
Jan 14 13:07:49 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal
Instruction
Jan 14 13:08:09 mcmurdo last message repeated 1 time
Jan 14 13:08:19 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error
Jan 14 13:10:05 mcmurdo last message repeated 5 times
Jan 14 13:10:16 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal
Instruction
Jan 14 13:10:24 mcmurdo last message repeated 1 time
Jan 14 13:10:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:10:27 mcmurdo last message repeated 1 time
Jan 14 13:10:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:10:57 mcmurdo last message repeated 2 times
Jan 14 13:11:23 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal
Instruction
Jan 14 13:11:31 mcmurdo last message repeated 1 time
Jan 14 13:11:32 mcmurdo /usr/dt/bin/rpc.ttdbserverd[2708]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting...
Jan 14 13:11:33 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd:
Segmentation Fault - core dumped
Jan 14 13:11:34 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3548]: iserase(): 78
Jan 14 13:11:35 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3548]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting...
Jan 14 13:11:35 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd:
Segmentation Fault - core dumped
Jan 14 13:11:37 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3549]: iserase(): 78
Jan 14 13:20:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:20:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:30:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:30:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:40:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:40:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:46:58 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd: Killed
Jan 14 20:30:01 mcmurdo telnetd[5002]: ttloop:  peer died: Bad file number

SECOND
I found a binary /sbin/xlogin that was new.

THIRD
I found a directory in /dev/pts called 01 modified 1/14/01.

It contained:

/diskt2/home/byronr/preserve/01:
bin
cleaner
crypt
l3
patcher
pg
su-backup
uconf.inv
utime

/diskt2/home/byronr/preserve/01/bin:
du
find
ls
netstat
passwd
ping
psr
su

Patcher looks like:
#!/bin/sh

VER=`uname -r`
cd /tmp

# ./install_cluster -nosave -q

# Ok.. so if theyre not lame, and running this on SunOS like they should...
        case $VER in
                5.5)
# 5.5 patchkit replaces su, ps, ping, login
cp /usr/bin/su /dev/pts/01/55su
cp /usr/bin/ps /dev/pts/01/55ps
cp /usr/sbin/ping /dev/pts/01/55ping
cp /usr/bin/login /dev/pts/01/55login
etc.

----- End of forwarded message from Mancini, Steve -----