Re: Solaris hack

From: Matt K. (mattat_private)
Date: Fri Feb 22 2002 - 19:42:03 PST

Next message: Valdis.Kletnieksat_private: "Re: Solaris hack"

Previous message: Jason Dixon: "Checking for rootkits"
In reply to: Jamie Lawrence: "Solaris hack"
Next in thread: Christopher X. Candreva: "Re: Solaris hack"
Next in thread: Valdis.Kletnieksat_private: "Re: Solaris hack"
Next in thread: Raistlin: "Re: strange telnet behavior"
Reply: Christopher X. Candreva: "Re: Solaris hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

They most likely got in via dtspcd or ttdbserver.  Run strings on
/usr/ucb/ps and see if you see 'sexygurl' near the end.  Also, check the
dates on files such as /bin/ls.  The rookit doesn't seem to change the
dates on the files it changes, so they are easy to detect.  The rootkit
also edits /etc/init.d/network and starts an sshd2 daemon at the end.
This is one of the ways the rooters get into your machine later on.  If
you think you have the rootkit I am talking about, email me directly and
I will get you a list of the files to replace, etc.  You should consider
disabling most of the stuff in /etc/inetd.conf (once you replace it with
the original, for it was most likely changed) and patching your system
to the latest revisions.  The dtspcd thing is pretty hot right now from
my standpoint as I see many scans daily for it.

Matt

On Thu, Feb 21, 2002 at 08:05:06PM -0800, Jamie Lawrence wrote:
> 
> I'm helping with a Solaris 8 box that was rooted.
> 
> The attacker replaced the /usr/bin/mc680*0 binaries,
> so many of the usual administrative commands are
> misbehaving. Is this from a rootkit anyone has seen
> before? 
> 
> This is a production box, and has to stay up for a while
> yet (the usual bad sort of administrative neglect), so reinstalling
> from scratch is not an approach I can take this minute.
> 
> I'm just looking for pointers on what I can expect, so  I can
> hopefully temporarily plug some holes until the box can
> be rebuilt.
> 
> TIA.
> 
> -j
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

-- 
Matt Kassawara
Unix Computing Support / Security
Department of Computer Science and Electrical Engineering
University of Central Florida
407.823.3018
mattat_private

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Valdis.Kletnieksat_private: "Re: Solaris hack"
Previous message: Jason Dixon: "Checking for rootkits"
In reply to: Jamie Lawrence: "Solaris hack"
Next in thread: Christopher X. Candreva: "Re: Solaris hack"
Next in thread: Valdis.Kletnieksat_private: "Re: Solaris hack"
Next in thread: Raistlin: "Re: strange telnet behavior"
Reply: Christopher X. Candreva: "Re: Solaris hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 21:28:30 PST