Re: Solaris hack

From: Valdis.Kletnieksat_private
Date: Fri Feb 22 2002 - 16:44:05 PST

Next message: Eric Brandwine: "Re: SNMP Scans 02/17/02"

Previous message: Matt K.: "Re: Solaris hack"
In reply to: Jamie Lawrence: "Solaris hack"
Next in thread: Eric Brandwine: "Re: Solaris hack"
Next in thread: Raistlin: "Re: strange telnet behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 21 Feb 2002 20:05:06 PST, Jamie Lawrence <jalat_private>  said:
> I'm helping with a Solaris 8 box that was rooted.
> 
> The attacker replaced the /usr/bin/mc680*0 binaries,
> so many of the usual administrative commands are
> misbehaving. Is this from a rootkit anyone has seen
> before? 

There was a posting that smelled like this on another list - U of
Oregon got hit, and we've seen a few at our site as well.

Date: Tue, 19 Feb 2002 14:28:36 -0800 (PST)
From: John Kemp <kemp@network-services.uoregon.edu>
Subject: [unisog] Solaris 7 dtspcd attack against UOREGON.EDU
To: unisogat_private

I'm not sure if there's an archive of that at SANS...

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

application/pgp-signature attachment: stored

Next message: Eric Brandwine: "Re: SNMP Scans 02/17/02"
Previous message: Matt K.: "Re: Solaris hack"
In reply to: Jamie Lawrence: "Solaris hack"
Next in thread: Eric Brandwine: "Re: Solaris hack"
Next in thread: Raistlin: "Re: strange telnet behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 21:41:00 PST