Security Incidents mailing list archives
Solaris script kiddie incident
From: Norbert Bollow <nb () THINKCOACH COM>
Date: Wed, 9 May 2001 10:41:39 +0200
Greetings, we had a root compromise on a Solaris server recently: On Apr 30 23:30 US Eastern time, a regular user account 'game' and a root account 'nois' were added to /etc/passwd ... then the intruder logged in and su'd to root from the lastlog: --snip------------------------------------------------------------ game pts/0 200.190.14.66 Mon Apr 30 23:30 - 23:32 (00:01) --snap------------------------------------------------------------ from the syslog: --snip------------------------------------------------------------ Apr 30 23:30:23 tarsus.cisto.org su: 'su nois' succeeded for game on /dev/pts/0 --snap------------------------------------------------------------ So far we have not been able to find any trojan/root-kit etc. The obvious logfile entries suggest that it may have been a "script kiddie" rather than a knowledgeable hacker. Is anyone aware of an intrusion tool that creates 'game'/'nois' accounts? I'd really like to know how the hacker got in... :-) Greetings, Norbert. -- Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland) Tel +41 1 972 20 59 Fax +41 1 972 20 69 nb () thinkcoach com
Currently recruiting: Perl programmers and JSP (JavaServer Pages) programmers for the "Traffic Building Bulletin Board System" project at FreeDevelopers.Net ------------------> See http://tbbbs.org
Current thread:
- Solaris script kiddie incident Norbert Bollow (May 09)
- <Possible follow-ups>
- Re: Solaris script kiddie incident Yiming Gong (May 10)