Re: Anybody recognize this Solaris compromise?

["Jamie Riden" <jamie.riden () gmail com>]

Hi David,

Were you/they running telnetd as a service in February? See
http://www.kb.cert.org/vuls/id/881872

On 13/04/07, David Gillett <gillettdavid () fhda edu> wrote:
>   I've got a Solaris machine on my network that has acquired
> an unauthorized behaviour of unknown origin.  Every night,
> from 1:10:30am until 6:00:30am, it tries to establish outbound
> telnet connections to addresses all over the Internet.
<snip>
>   The machine is running the SIRSI library application; it's possible
> that the vulnerability is associated with that and not generically with
> Solaris.  We're not heavy Solaris users here, and so IT doesn't support
> that machine -- I'm trying to help our SIRSI admin pin down what's going
> on so they can determine how to identify and remove the culprit.

Reformat and re-install? It's the only way to be sure you've cleaned
it properly. Probably cheaper than a thorough forensic examination as
well.

cheers,
Jamie
--
Jamie Riden, CISSP / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!"- 
SPI Dynamics White Paper 
It's as simple as placing additional SQL commands into a Web Form input 
box giving hackers complete access to all your backend systems! 
Firewalls and IDS will not stop such attacks because SQL Injections are 
NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics 
for a complete guide to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CiNE
--------------------------------------------------------------------------