On Thu, 21 Feb 2002 20:05:06 PST, Jamie Lawrence <jalat_private> said: > I'm helping with a Solaris 8 box that was rooted. > > The attacker replaced the /usr/bin/mc680*0 binaries, > so many of the usual administrative commands are > misbehaving. Is this from a rootkit anyone has seen > before? There was a posting that smelled like this on another list - U of Oregon got hit, and we've seen a few at our site as well. Date: Tue, 19 Feb 2002 14:28:36 -0800 (PST) From: John Kemp <kemp@network-services.uoregon.edu> Subject: [unisog] Solaris 7 dtspcd attack against UOREGON.EDU To: unisogat_private I'm not sure if there's an archive of that at SANS... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 21:41:00 PST