Anything interesting in the output of "strings /usr/sbin/in.telnetd" or "strings /bin/login" Last time I looked, Solaris 2.5.1's "ls" wasn't compiled with GNU file utils (but it WAS on the system I looked at this morning! ;-) Bill Burge *********** REPLY SEPARATOR *********** On 7/30/2001 at 11:48 AM SecLists wrote: >We have a customer's system that we believe was hacked... > >in /var/tmp there is a binary file: >.baa0xdd1r > >it appears to have replaced /usr/sbin/in.telnetd > >/bin/login also appears suspect... > >this is: >bash-2.01# uname -a >SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1 > > >does this sound like a familiar rootkit? or is something totally new? > >we are still gathering info but I wanted to post this soon in the chance >that someone has dealt with this before.. don't want to have to reinvent >the wheel... > >thanks, > >shawn > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 14:53:32 PDT