Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Solaris hack

From: "Christopher X. Candreva" <chris () westnet com>
Date: Mon, 25 Feb 2002 10:58:14 -0500 (EST)
On Fri, 22 Feb 2002, Matt K. wrote:


They most likely got in via dtspcd or ttdbserver.  Run strings on
/usr/ucb/ps and see if you see 'sexygurl' near the end.  Also, check the
dates on files such as /bin/ls.  The rookit doesn't seem to change the


Also these:
-r-sr-xr-x   1 root     root        17156 Jan 14 20:56 m68k
-rwxr-xr-x   1 root     root       301632 Jan 14 20:56 mc68000
-r-xr-xr-x   1 root     root         9296 Jan 14 20:56 mc68010
-r-sr-xr-x   1 root     root        36520 Jan 14 20:56 mc68020
-r-xr-xr-x   1 root     root        20064 Jan 14 20:56 mc68030
-r-xr-sr-x   1 root     root        55168 Jan 14 20:56 mc68040
-rwxr-xr-x   1 root     root       558868 Jan 14 20:56 sshd2
-r-sr-sr-x   1 root     root       101744 Jan 14 20:56 sun2
-r-sr-xr-x   1 root     root        48028 Jan 14 20:56 sun3
-r-xr-xr-x   1 root     root         9028 Jan 14 20:56 sun3x
-r-sr-xr-x   1 root     root        29200 Jan 14 20:56 u370
-r-xr-xr-x   1 root     root         5256 Jan 14 20:57 w

(cut/paste from a machine I fixed 2 weeks ago. Dates are when our machine
got hacked, not relavant for you).

Specificly, u370 was the real login, and login was replaced.

They replace the program that ID cpu types that will never be run.

==========================================================
Chris Candreva  -- chris () westnet com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: