Security Incidents mailing list archives
Re: Solaris hack
From: Steve Huston <huston () astro Princeton EDU>
Date: Thu, 28 Feb 2002 16:29:04 -0500 (EST)
On Mon, 25 Feb 2002, Christopher X. Candreva wrote:
On Fri, 22 Feb 2002, Matt K. wrote:They most likely got in via dtspcd or ttdbserver. Run strings on /usr/ucb/ps and see if you see 'sexygurl' near the end. Also, check the dates on files such as /bin/ls. The rookit doesn't seem to change theSpecificly, u370 was the real login, and login was replaced. They replace the program that ID cpu types that will never be run.
I just got one of these too; upon booting from CD and doing a little poking around, I found in /usr/lib/vold/nsdap the file 'defines', which contained the following: ====== # Edit these # Dir to install rootkit in RKDIR="/usr/lib/vold/nsdap" # Your email address EMAIL="bert.smith () mbox bol bg" # debug mode on or off DEBUG=0 # file location settings BACKUP_LS="/usr/bin/mc68000" BACKUP_DU="/usr/bin/mc68010" BACKUP_PS="/usr/bin/mc68020" BACKUP_UCBPS="/usr/ucb/bin/ps" BACKUP_SU="/usr/bin/m68k" BACKUP_PASSWD="/usr/bin/sun2" BACKUP_FIND="/usr/bin/mc68030" BACKUP_NETSTAT="/usr/bin/mc68040" BACKUP_PING="/usr/bin/sun3" BACKUP_STRINGS="/usr/bin/sun3x" BACKUP_LSOF="/usr/bin/lso" BACKUP_LOGIN="/usr/bin/u370" ====== -- Steve Huston - System Administrator, Dept. of Astrophysical Sciences Princeton University | ICBM Address: 40.346525 -74.651285 126 Peyton Hall |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1' ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: strange telnet behavior, (continued)
- Re: strange telnet behavior Vladimir Ivaschenko (Feb 20)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior tfm (Feb 20)
- Solaris hack Jamie Lawrence (Feb 22)
- RE: Solaris hack Glenn Pitcher (Feb 24)
- strange udp packets Jason Robertson (Feb 24)
- Re: Solaris hack Matt K. (Feb 24)
- Re: Solaris hack Christopher X. Candreva (Feb 25)
- Re: Solaris hack Steve Huston (Feb 28)
- Solaris hack Jamie Lawrence (Feb 22)
- Re: Solaris hack Valdis . Kletnieks (Feb 24)
- Re: Solaris hack Eric Brandwine (Feb 25)
- Re: strange telnet behavior Raistlin (Feb 23)