Greetings, we had a root compromise on a Solaris server recently: On Apr 30 23:30 US Eastern time, a regular user account 'game' and a root account 'nois' were added to /etc/passwd ... then the intruder logged in and su'd to root from the lastlog: --snip------------------------------------------------------------ game pts/0 200.190.14.66 Mon Apr 30 23:30 - 23:32 (00:01) --snap------------------------------------------------------------ from the syslog: --snip------------------------------------------------------------ Apr 30 23:30:23 tarsus.cisto.org su: 'su nois' succeeded for game on /dev/pts/0 --snap------------------------------------------------------------ So far we have not been able to find any trojan/root-kit etc. The obvious logfile entries suggest that it may have been a "script kiddie" rather than a knowledgeable hacker. Is anyone aware of an intrusion tool that creates 'game'/'nois' accounts? I'd really like to know how the hacker got in... :-) Greetings, Norbert. -- Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland) Tel +41 1 972 20 59 Fax +41 1 972 20 69 nbat_private > Currently recruiting: Perl programmers and JSP (JavaServer Pages) > programmers for the "Traffic Building Bulletin Board System" project > at FreeDevelopers.Net ------------------> See http://tbbbs.org
This archive was generated by hypermail 2b30 : Wed May 09 2001 - 22:40:36 PDT