On Mon, 30 Jul 2001, SecLists wrote: > We have a customer's system that we believe was hacked... > > in /var/tmp there is a binary file: > .baa0xdd1r > > it appears to have replaced /usr/sbin/in.telnetd > > /bin/login also appears suspect... > > this is: > bash-2.01# uname -a > SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1 > does this sound like a familiar rootkit? or is something totally new? Since this is a Solaris box, I HIGHLY recommend you check out Sun's fingerprint database. Sun Microsystems has put online the MD5 hash of every binary they have distributed for the Solaris environment, including all patched versions. This database is very similar to a Tripwire snapshot for your binaries, and will confirm if you have been compromised or not. http://sunsolve.Sun.COM/pub-cgi/show.pl?target=content/content7 If you have been compromised, two great sites to start with are http://www.cert.org http://www.securityfocus.com best of luck :) lance ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 14:55:26 PDT