Re: Solaris script kiddie incident

[Yiming Gong <yiming () SECURITY ZZ HA CN>]

I think first you should display us what services you server are now runing,
Perhaps exploit of snmpdx or bind?
Give us you system configuration  detailed.

> Greetings,
>  we had a root compromise on a Solaris server recently: On Apr 30
> 23:30 US Eastern time, a regular user account 'game' and a root
> account 'nois' were added to /etc/passwd ... then the intruder
> logged in and su'd to root
>
> from the lastlog:
>
> --snip------------------------------------------------------------
> game      pts/0        200.190.14.66    Mon Apr 30 23:30 - 23:32  (00:01)
> --snap------------------------------------------------------------
>
> from the syslog:
>
> --snip------------------------------------------------------------
> Apr 30 23:30:23 tarsus.cisto.org su: 'su nois' succeeded for game on /dev/pts/0
> --snap------------------------------------------------------------
>
> So far we have not been able to find any trojan/root-kit etc.
> The obvious logfile entries suggest that it may have been a
> "script kiddie" rather than a knowledgeable hacker.
>
> Is anyone aware of an intrusion tool that creates 'game'/'nois'
> accounts?  I'd really like to know how the hacker got in... :-)
>
> Greetings, Norbert.
>
> --
> Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland)
> Tel +41 1 972 20 59       Fax +41 1 972 20 69        nb () thinkcoach com
> > Currently recruiting:  Perl programmers  and  JSP (JavaServer Pages)
> > programmers for the "Traffic Building Bulletin Board System" project
> > at FreeDevelopers.Net    ------------------>    See http://tbbbs.org


            Yiming Gong
            yiming () security zz ha cn