Re: .baa0xdd1r??

From: Lance Spitzner (lanceat_private)
Date: Mon Jul 30 2001 - 13:08:17 PDT

  • Next message: Charles_Ebingerat_private: "Re: Mail Issue"

    On Mon, 30 Jul 2001, SecLists wrote:
    
    > We have a customer's system that we believe was hacked...
    >
    > in /var/tmp there is a binary file:
    > .baa0xdd1r
    >
    > it appears to have replaced /usr/sbin/in.telnetd
    >
    > /bin/login also appears suspect...
    >
    > this is:
    > bash-2.01# uname -a
    > SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1
    
    > does this sound like a familiar rootkit? or is something totally new?
    
    Since this is a Solaris box, I HIGHLY recommend you check out Sun's
    fingerprint database.  Sun Microsystems has put online the MD5
    hash of every binary they have distributed for the Solaris environment,
    including all patched versions.  This database is very similar
    to a Tripwire snapshot for your binaries, and will confirm if
    you have been compromised or not.
    
      http://sunsolve.Sun.COM/pub-cgi/show.pl?target=content/content7
    
    If you have been compromised, two great sites to start with are
    
       http://www.cert.org
       http://www.securityfocus.com
    
    best of luck :)
    
    lance
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 14:55:26 PDT