I think first you should display us what services you server are now runing, Perhaps exploit of snmpdx or bind? Give us you system configuration detailed. >Greetings, > we had a root compromise on a Solaris server recently: On Apr 30 >23:30 US Eastern time, a regular user account 'game' and a root >account 'nois' were added to /etc/passwd ... then the intruder >logged in and su'd to root > >from the lastlog: > >--snip------------------------------------------------------------ >game pts/0 200.190.14.66 Mon Apr 30 23:30 - 23:32 (00:01) >--snap------------------------------------------------------------ > >from the syslog: > >--snip------------------------------------------------------------ >Apr 30 23:30:23 tarsus.cisto.org su: 'su nois' succeeded for game on /dev/pts/0 >--snap------------------------------------------------------------ > >So far we have not been able to find any trojan/root-kit etc. >The obvious logfile entries suggest that it may have been a >"script kiddie" rather than a knowledgeable hacker. > >Is anyone aware of an intrusion tool that creates 'game'/'nois' >accounts? I'd really like to know how the hacker got in... :-) > >Greetings, Norbert. > >-- >Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland) >Tel +41 1 972 20 59 Fax +41 1 972 20 69 nbat_private >> Currently recruiting: Perl programmers and JSP (JavaServer Pages) >> programmers for the "Traffic Building Bulletin Board System" project >> at FreeDevelopers.Net ------------------> See http://tbbbs.org Yiming Gong yimingat_private
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 14:52:15 PDT