.baa0xdd1r??

[SecLists <lists () secure stargate net>]

We have a customer's system that we believe was hacked...

in /var/tmp there is a binary file:
.baa0xdd1r

it appears to have replaced /usr/sbin/in.telnetd

/bin/login also appears suspect...

this is:
bash-2.01# uname -a
SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1


does this sound like a familiar rootkit? or is something totally new?

we are still gathering info but I wanted to post this soon in the chance
that someone has dealt with this before.. don't want to have to reinvent
the wheel...

thanks,

shawn


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com