Well, the reality is, there really isn't any way of knowing just what to expect. Especially since this is a production box, my suggestion is to bring the system down *as soon as possible* (moan, sigh) fix the problem (while keeping track of the downtime) then go to management and say - this is why we need to purchase/upgrade our security systems, look at the production time we've lost. Yes, its going to be a real headache and people are going to loose sleep but this is the price we pay for being SysAdmins. ------- Glenn Pitcher System Administration / Security / Networking (858) 674-1847 (home) (858) 243-3433 (cell) gpitcherat_private -----Original Message----- From: Jamie Lawrence [mailto:jalat_private] Sent: Thursday, February 21, 2002 8:05 PM To: incidentsat_private Subject: Solaris hack I'm helping with a Solaris 8 box that was rooted. The attacker replaced the /usr/bin/mc680*0 binaries, so many of the usual administrative commands are misbehaving. Is this from a rootkit anyone has seen before? This is a production box, and has to stay up for a while yet (the usual bad sort of administrative neglect), so reinstalling from scratch is not an approach I can take this minute. I'm just looking for pointers on what I can expect, so I can hopefully temporarily plug some holes until the box can be rebuilt. TIA. -j ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 21:03:35 PST