Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Solaris hack

From: Steve Huston <huston () astro Princeton EDU>
Date: Thu, 28 Feb 2002 16:29:04 -0500 (EST)
On Mon, 25 Feb 2002, Christopher X. Candreva wrote:


On Fri, 22 Feb 2002, Matt K. wrote:


They most likely got in via dtspcd or ttdbserver.  Run strings on
/usr/ucb/ps and see if you see 'sexygurl' near the end.  Also, check the
dates on files such as /bin/ls.  The rookit doesn't seem to change the


Specificly, u370 was the real login, and login was replaced.

They replace the program that ID cpu types that will never be run.


I just got one of these too; upon booting from CD and doing a little poking
around, I found in /usr/lib/vold/nsdap the file 'defines', which contained the
following:

======

# Edit these
# Dir to install rootkit in
RKDIR="/usr/lib/vold/nsdap"
# Your email address
EMAIL="bert.smith () mbox bol bg"
# debug mode on or off
DEBUG=0

# file location settings

BACKUP_LS="/usr/bin/mc68000"
BACKUP_DU="/usr/bin/mc68010"
BACKUP_PS="/usr/bin/mc68020"
BACKUP_UCBPS="/usr/ucb/bin/ps"
BACKUP_SU="/usr/bin/m68k"
BACKUP_PASSWD="/usr/bin/sun2"
BACKUP_FIND="/usr/bin/mc68030"
BACKUP_NETSTAT="/usr/bin/mc68040"
BACKUP_PING="/usr/bin/sun3"
BACKUP_STRINGS="/usr/bin/sun3x"
BACKUP_LSOF="/usr/bin/lso"
BACKUP_LOGIN="/usr/bin/u370"

======

-- 
Steve Huston - System Administrator, Dept. of Astrophysical Sciences
 Princeton University  |     ICBM Address: 40.346525   -74.651285
   126 Peyton Hall     |"On my ship, the Rocinante, wheeling through
 Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
   (609) 258-7375      | headlong into mystery."  -Rush, 'Cygnus X-1'


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: