Security Incidents mailing list archives

RE: solaris rootkit investigation

From: Dave Salovesh <salovesh () ramassociates com>
Date: Wed, 6 Jun 2001 17:15:58 -0400

...root@NoraD

has anyone seen this before? or has any info on it? ie, what 
binaries have
been trojaned, what files have been replaced, etc.??


Third out of four at google on "root@norad" (the other three are
unrelated)...

http://www.sans.org/y2k/the_compromise.htm

Except that's RH7, not Solaris.  Look for similarities anyway, but at this
point all you can conclude is that your visitor may have installed a similar
sshd - you can't know if it came to you in the same way, or if the damages
were limited to the same ones discussed above.  Even with this list and
analysis, you'll need to do the legwork of examining your own system
methodically.

Hoping that helps...

-- 
Dave Salovesh
RAM Associates, Inc.
(800) 543-3635

Current thread:

solaris rootkit investigation SecLists (Jun 06)
- Re: solaris rootkit investigation Johnny Cyberpunk (Jun 06)
- <Possible follow-ups>
- RE: solaris rootkit investigation Dave Salovesh (Jun 06)