Security Incidents mailing list archives
RE: solaris rootkit investigation
From: Dave Salovesh <salovesh () ramassociates com>
Date: Wed, 6 Jun 2001 17:15:58 -0400
...root@NoraD has anyone seen this before? or has any info on it? ie, what binaries have been trojaned, what files have been replaced, etc.??
Third out of four at google on "root@norad" (the other three are unrelated)... http://www.sans.org/y2k/the_compromise.htm Except that's RH7, not Solaris. Look for similarities anyway, but at this point all you can conclude is that your visitor may have installed a similar sshd - you can't know if it came to you in the same way, or if the damages were limited to the same ones discussed above. Even with this list and analysis, you'll need to do the legwork of examining your own system methodically. Hoping that helps... -- Dave Salovesh RAM Associates, Inc. (800) 543-3635
Current thread:
- solaris rootkit investigation SecLists (Jun 06)
- Re: solaris rootkit investigation Johnny Cyberpunk (Jun 06)
- <Possible follow-ups>
- RE: solaris rootkit investigation Dave Salovesh (Jun 06)