Security Incidents mailing list archives
Re: .baa0xdd1r??
From: Lance Spitzner <lance () honeynet org>
Date: Mon, 30 Jul 2001 15:08:17 -0500 (CDT)
On Mon, 30 Jul 2001, SecLists wrote:
We have a customer's system that we believe was hacked... in /var/tmp there is a binary file: .baa0xdd1r it appears to have replaced /usr/sbin/in.telnetd /bin/login also appears suspect... this is: bash-2.01# uname -a SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1
does this sound like a familiar rootkit? or is something totally new?
Since this is a Solaris box, I HIGHLY recommend you check out Sun's fingerprint database. Sun Microsystems has put online the MD5 hash of every binary they have distributed for the Solaris environment, including all patched versions. This database is very similar to a Tripwire snapshot for your binaries, and will confirm if you have been compromised or not. http://sunsolve.Sun.COM/pub-cgi/show.pl?target=content/content7 If you have been compromised, two great sites to start with are http://www.cert.org http://www.securityfocus.com best of luck :) lance ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- .baa0xdd1r?? SecLists (Jul 30)
- Re: .baa0xdd1r?? Bill Burge (Jul 30)
- Re: .baa0xdd1r?? Lance Spitzner (Jul 30)