I am not a Sun expert by any means but this doesn't look like a compromise to me .. > 1. %nmap foo > .... > 898/tcp open unknown Standard port for the SUN Management Console server. > > 3. %netstat > ... > 30001303a88 stream-ord 3000108acd8 00000000 > /tmp/smc898/cmdsock This is the directory that smc uses to store PID etc... (check you should have a boot.pid file in there.) > 4. % /usr/local/bin/lsof -U > java 436 root 25u unix 105,25 0t0 35169 > /devices/pseudo/tl@0:ticots-> > /tmp/smc898/cmdsock (0x30001303a88) > (Vnode=0x3000108acd8) Again I think that's pretty standard for SUN services being "tied" to pseudo devices. > Ok, What's happening?, I am very confused, the inode > number fsol show points to a direcroty and a character > device. How can i stop > that listening binary? this is a service that should be started by smcboot check your /etc/rc#.d/ directory (which ever runlvl you are in). of course if this is not a sun box then this is a little odd indeed... again not an expert with sun but this looks like a normal sun service. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 12:08:40 PDT