Security Incidents mailing list archives
Re: Solaris hack
From: Valdis.Kletnieks () vt edu
Date: Fri, 22 Feb 2002 19:44:05 -0500
On Thu, 21 Feb 2002 20:05:06 PST, Jamie Lawrence <jal () abulafia com> said:
I'm helping with a Solaris 8 box that was rooted. The attacker replaced the /usr/bin/mc680*0 binaries, so many of the usual administrative commands are misbehaving. Is this from a rootkit anyone has seen before?
There was a posting that smelled like this on another list - U of
Oregon got hit, and we've seen a few at our site as well.
Date: Tue, 19 Feb 2002 14:28:36 -0800 (PST)
From: John Kemp <kemp () network-services uoregon edu>
Subject: [unisog] Solaris 7 dtspcd attack against UOREGON.EDU
To: unisog () sans org
I'm not sure if there's an archive of that at SANS...
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Re: strange telnet behavior, (continued)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior tfm (Feb 20)
- Solaris hack Jamie Lawrence (Feb 22)
- RE: Solaris hack Glenn Pitcher (Feb 24)
- strange udp packets Jason Robertson (Feb 24)
- Re: Solaris hack Matt K. (Feb 24)
- Re: Solaris hack Christopher X. Candreva (Feb 25)
- Re: Solaris hack Steve Huston (Feb 28)
- Solaris hack Jamie Lawrence (Feb 22)
- Re: Solaris hack Valdis . Kletnieks (Feb 24)
- Re: Solaris hack Eric Brandwine (Feb 25)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
- Re: strange telnet behavior Raistlin (Feb 23)