On Mon, 25 Feb 2002, Christopher X. Candreva wrote: > On Fri, 22 Feb 2002, Matt K. wrote: > > > They most likely got in via dtspcd or ttdbserver. Run strings on > > /usr/ucb/ps and see if you see 'sexygurl' near the end. Also, check the > > dates on files such as /bin/ls. The rookit doesn't seem to change the > > Specificly, u370 was the real login, and login was replaced. > > They replace the program that ID cpu types that will never be run. I just got one of these too; upon booting from CD and doing a little poking around, I found in /usr/lib/vold/nsdap the file 'defines', which contained the following: ====== # Edit these # Dir to install rootkit in RKDIR="/usr/lib/vold/nsdap" # Your email address EMAIL="bert.smithat_private" # debug mode on or off DEBUG=0 # file location settings BACKUP_LS="/usr/bin/mc68000" BACKUP_DU="/usr/bin/mc68010" BACKUP_PS="/usr/bin/mc68020" BACKUP_UCBPS="/usr/ucb/bin/ps" BACKUP_SU="/usr/bin/m68k" BACKUP_PASSWD="/usr/bin/sun2" BACKUP_FIND="/usr/bin/mc68030" BACKUP_NETSTAT="/usr/bin/mc68040" BACKUP_PING="/usr/bin/sun3" BACKUP_STRINGS="/usr/bin/sun3x" BACKUP_LSOF="/usr/bin/lso" BACKUP_LOGIN="/usr/bin/u370" ====== -- Steve Huston - System Administrator, Dept. of Astrophysical Sciences Princeton University | ICBM Address: 40.346525 -74.651285 126 Peyton Hall |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (609) 258-7375 | headlong into mystery." -Rush, 'Cygnus X-1' ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 14:37:58 PST