Recently some solaris-servers I admin were compromised, due to not beeing patched against the dtspcd flaw. Now, the prudent thing is to just reinstall and so forth. It would however be nice to know what had been done. The reason we found out about the compromise, were an entry in root's crontab that said: 0,15,30,45 * * * * /tmp/.fakex > /dev/null 2>&1 However, due to our crontabs not having a trailing \n after the last line, the above mentioned crontab was appended to the end of our last crontab, thus resulting in a corrupt entry. No /tmp cleaning regime were running on the compromised servers, but we couldn't find the file /tmp/.fakex neither. So, something has cleaned that out. Furthermore, we tried ripping out the disk of one of the cracked servers, remounted it on a non-compromised machine, and ran md5sums on all the entire system, compared them to what is available from sunsolve - and found that nothing had been changed out of the ordinary. In other words, we couldn't find any rootkit. Nor any hidden directories, or anything out of the ordinary. However, we found that a server behind a firewall, that only some of the compromised servers had access to, also had the invalid crontab entry. Thus, we are quite certain that the 'visitors' managed to gain entry to the network. Now, what I would love, is to get my hands on the exploit used, which uses '/tmp/.fakex'. Russel Fulton posted a capture of a part of a packet containing /tmp/.fakex, on January 22. Although, he has had no luck in aquiring the rest of the exploit/packets, as that were the only incident with it. Any other incidents-readers that have the rest? Or have the exploit? I would be _very_ interested in getting my hands on it to use as a reference when doing the forensics on the servers. -- Rune Kristian Viken ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Feb 23 2002 - 04:47:59 PST