Security Incidents mailing list archives
RE: solaris hack info required
From: "Mike Batchelor" <mikebat () tmcs net>
Date: Fri, 29 Jun 2001 11:35:00 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, Any help you can give me would be appreciated.
Turn off the print service on hosts connected to the Internet (unless you intend to be a public print server, of course).
I've a Sun Netra X1 (Solaris 8) with a /var/adm/messages file full of these messages at frequent but irregular intervals (approx every 5-10 seconds for several hours).
I'm sure you have.
Do any of you recognise this?
Not specifically, but someone is trying to exploit one of many well-known holes in the Solaris print service. These are attempts to overrun a buffer and put code of the hacker's choosing on the stack, in an attempt to get a root shell.
If so, what should I be looking for to see if the hack was successful?
Run /usr/ucb/ps to see if there are any processes you don't recognize, or copy the /usr/bin/ps command from the Solaris CD or a freshly installed, never connected Solaris machine, and run that. Check the output of netstat (again, copy it from a known good source such as the Solaris install CD) and see if there are any listening sockets for services you don't recognize. Compare your tripwire signatures from before the attack with the signatures as they exist now, especially for diagnostic commands like ps and netstat. Any discrepancies are very suspicious. If the admin doesn't know what is a normal process and what is not, or does not know what files should and should not exist on his machine, or what sockets should and should not be listening, then a clue for the admin is what is needed most of all. He should assume the box has been compromised and reinstall from scratch after taking some time to learn what should be allowed to run on a Internet-connected host, and how to remove unnecessary services.
TIA, Mark ------------------------------------------------------------------ ---------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOzzKVEksS4VV8BvHEQKuKgCeOQliV+0veBo09YV3YJbOLQIv5wcAoI4x JdX/H6c07aB7ZbiuA/vAiR8S =Q1jK -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- solaris hack info required Mark Hollow (Jun 29)
- RE: solaris hack info required Mike Batchelor (Jun 30)
- Re: solaris hack info required Devdas Bhagat (Jun 30)
- <Possible follow-ups>
- RE: solaris hack info required Ivy Lane (Jun 30)