They most likely got in via dtspcd or ttdbserver. Run strings on /usr/ucb/ps and see if you see 'sexygurl' near the end. Also, check the dates on files such as /bin/ls. The rookit doesn't seem to change the dates on the files it changes, so they are easy to detect. The rootkit also edits /etc/init.d/network and starts an sshd2 daemon at the end. This is one of the ways the rooters get into your machine later on. If you think you have the rootkit I am talking about, email me directly and I will get you a list of the files to replace, etc. You should consider disabling most of the stuff in /etc/inetd.conf (once you replace it with the original, for it was most likely changed) and patching your system to the latest revisions. The dtspcd thing is pretty hot right now from my standpoint as I see many scans daily for it. Matt On Thu, Feb 21, 2002 at 08:05:06PM -0800, Jamie Lawrence wrote: > > I'm helping with a Solaris 8 box that was rooted. > > The attacker replaced the /usr/bin/mc680*0 binaries, > so many of the usual administrative commands are > misbehaving. Is this from a rootkit anyone has seen > before? > > This is a production box, and has to stay up for a while > yet (the usual bad sort of administrative neglect), so reinstalling > from scratch is not an approach I can take this minute. > > I'm just looking for pointers on what I can expect, so I can > hopefully temporarily plug some holes until the box can > be rebuilt. > > TIA. > > -j > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -- Matt Kassawara Unix Computing Support / Security Department of Computer Science and Electrical Engineering University of Central Florida 407.823.3018 mattat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 21:28:30 PST