Re: .baa0xdd1r??

From: Bill Burge (billat_private)
Date: Mon Jul 30 2001 - 14:08:48 PDT

  • Next message: Tom Laermans: "RE: Cobalt Scan"

    Anything interesting in the output of "strings /usr/sbin/in.telnetd" or "strings /bin/login"
    
    Last time I looked, Solaris 2.5.1's "ls" wasn't compiled with GNU file utils (but it WAS on the system I looked at this morning!  ;-)
    
    Bill Burge
    
    
    
    *********** REPLY SEPARATOR  ***********
    
    On 7/30/2001 at 11:48 AM SecLists wrote:
    
    >We have a customer's system that we believe was hacked...
    >
    >in /var/tmp there is a binary file:
    >.baa0xdd1r
    >
    >it appears to have replaced /usr/sbin/in.telnetd
    >
    >/bin/login also appears suspect...
    >
    >this is:
    >bash-2.01# uname -a
    >SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1
    >
    >
    >does this sound like a familiar rootkit? or is something totally new?
    >
    >we are still gathering info but I wanted to post this soon in the chance
    >that someone has dealt with this before.. don't want to have to reinvent
    >the wheel...
    >
    >thanks,
    >
    >shawn
    >
    >
    >----------------------------------------------------------------------------
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management 
    >and tracking system please see: http://aris.securityfocus.com
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 14:53:32 PDT