solaris rootkit investigation

From: SecLists (listsat_private)
Date: Wed Jun 06 2001 - 09:54:24 PDT

Next message: Michael J. Hendricks: "FW: Tu do hoac chet"

Previous message: centipede: "Re: Upload of "pipes.scr" attempted to NetBus "honeypot""
Next in thread: Johnny Cyberpunk: "Re: solaris rootkit investigation"
Reply: Johnny Cyberpunk: "Re: solaris rootkit investigation"
Reply: Dave Salovesh: "RE: solaris rootkit investigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all...

First time posting to the list here...

One of our customers who we do security services for when they are needed
recently had a Solaris 7 box compromised. There appears to be a rootkit
installed that opens an ssh daemon on port 27354 with a sshd_host_key.pub
of:

...root@NoraD

has anyone seen this before? or has any info on it? ie, what binaries have
been trojaned, what files have been replaced, etc.??

Thanks,

Shawn Duffy

Next message: Michael J. Hendricks: "FW: Tu do hoac chet"
Previous message: centipede: "Re: Upload of "pipes.scr" attempted to NetBus "honeypot""
Next in thread: Johnny Cyberpunk: "Re: solaris rootkit investigation"
Reply: Johnny Cyberpunk: "Re: solaris rootkit investigation"
Reply: Dave Salovesh: "RE: solaris rootkit investigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 13:41:52 PDT