-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All: Just saw a Solaris rootkit that was installed apparently, after a successful compromise of the dtspcd service on a Solaris 7 box... I had never seen it before and for those that also haven't, it installed in /usr/lib/vold/nsdap which isnt seen with regular ls... /dev/null's all the logs, etc. There are a few executable shell scripts in there... There is also a /etc/init.d/network added with the following contents: /usr/bin/sshd2 -q This sshd runs on port 17811... Too much to cover in one email... replaces the normal ps, netstat, etc... I can send a copy of the rootkit if there are enough people out there that haven't seen this... thanks, shawn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OpenBSD) Comment: For info see http://www.gnupg.org iD8DBQE8a+ue3Qw8DHute6kRAtbjAJ9AIqFuKPNGLKGKmJ3TRUELRaqgDgCdF95X m6aM2pprjmHk67/aFUeTSM0= =FHgr -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 09:27:57 PST