Solaris hack

From: Jamie Lawrence (jalat_private)
Date: Thu Feb 21 2002 - 20:05:06 PST

Next message: Bob Maccione: "RE: ckcool?"

Previous message: Johan Denoyer: "Re: ckcool?"
In reply to: tfmat_private: "Re: strange telnet behavior"
Next in thread: Glenn Pitcher: "RE: Solaris hack"
Next in thread: Raistlin: "Re: strange telnet behavior"
Reply: Glenn Pitcher: "RE: Solaris hack"
Reply: Jason Robertson: "strange udp packets"
Reply: Matt K.: "Re: Solaris hack"
Reply: Valdis.Kletnieksat_private: "Re: Solaris hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm helping with a Solaris 8 box that was rooted.

The attacker replaced the /usr/bin/mc680*0 binaries,
so many of the usual administrative commands are
misbehaving. Is this from a rootkit anyone has seen
before? 

This is a production box, and has to stay up for a while
yet (the usual bad sort of administrative neglect), so reinstalling
from scratch is not an approach I can take this minute.

I'm just looking for pointers on what I can expect, so  I can
hopefully temporarily plug some holes until the box can
be rebuilt.

TIA.

-j


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bob Maccione: "RE: ckcool?"
Previous message: Johan Denoyer: "Re: ckcool?"
In reply to: tfmat_private: "Re: strange telnet behavior"
Next in thread: Glenn Pitcher: "RE: Solaris hack"
Next in thread: Raistlin: "Re: strange telnet behavior"
Reply: Glenn Pitcher: "RE: Solaris hack"
Reply: Jason Robertson: "strange udp packets"
Reply: Matt K.: "Re: Solaris hack"
Reply: Valdis.Kletnieksat_private: "Re: Solaris hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 16:19:24 PST