I've also seen much of the same -- I submitted this to the list over the weekend, but it apparently never made it there. Basically, there is a worm process much like Lion, etc. that after compromising the machine, starts generating IP addresses and going after more. The exploit that is being used is some sort of sadmin exploit. A tell-tale sign is a root shell open on port 600 (not functional however). The exploit places it's contents in /dev/cuc and goes to town with a perl script and a random number generator. It also creates a wide-open .rhosts for root. It also starts an inetd process with /tmp/.x that has one service, the root shell bound to it, just like the lion stuff did ala "sh -i", however this shell has no IO capabilities on Solaris, and is thus useless. So, much like the other worms, this one trudges on blindly after cracking a machine that was wide-open to begin with. I think the same group wrote this one as well due to it's similarities in execution and methodology. It is executing Unicode attacks, with static HTML in the perl script, typical anti US stuff. Moderator->Can this get posted to the list please? -brad > hi, > > during the past three days i've received both > httpd and sunrpc scans originating from what seem > to be a sunos 5.6 boxes, according to the motd. > > anyone else noticed the same? some worm rewriting > linux motds or is there > maybe something more alarming going on? >
This archive was generated by hypermail 2b30 : Mon May 07 2001 - 14:34:03 PDT