?hack cause?
From: Andy Gabor (ajgabor@ucdavis.edu)Date: 03/25/02
- Previous message: Stephen Pinto: "BSM audit viewer with java option"
- Next in thread: Ailean Mhorgainn: "Re: ?hack cause?"
- Reply: Ailean Mhorgainn: "Re: ?hack cause?"
- Reply: Mike P: "Re: ?hack cause?"
- Reply: Gordon Ewasiuk: "Re: ?hack cause?"
- Reply: b. nyec: "RE: ?hack cause?"
- Reply: rir@vmei.acad.bg: "Re: ?hack cause?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Andy Gabor <ajgabor@ucdavis.edu> Date: Mon, 25 Mar 2002 11:30:08 -0800 To: <focus-sun@securityfocus.com>
Hi, I think I got hacked but not sure how.
Env: Sol8 (all security patches installed - I think), Ultra 10
Log:
Mar 23 08:12:39 nova inetd[160]: [ID 858011 daemon.warning] /usr/dt/bin/rpc.cmsd: Killed
Mar 23 08:12:44 nova inetd[160]: [ID 858011 daemon.warning] /usr/dt/bin/rpc.ttdbserverd: Killed
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] ftp/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] telnet/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] uucp/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] time/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] echo/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] discard/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] daytime/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] chargen/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] fs/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] printer/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] dtspc/tcp: bind: Address already in use
Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] pop3/tcp: bind: Address already in use
Effect:
1. lost /usr/dt/bin/rpc.cmsd
2. new files /usr/bin/login /usr/bin/.login.
Checked sunsolve for cmsd alerts - none.
Any insights appreciated.
Andy
=====================================================================
Andy Gabor - Department of Neurology, University of California, Davis
ajgabor@ucdavis.edu (530)754-5036 (FAX)
- Previous message: Stephen Pinto: "BSM audit viewer with java option"
- Next in thread: Ailean Mhorgainn: "Re: ?hack cause?"
- Reply: Ailean Mhorgainn: "Re: ?hack cause?"
- Reply: Mike P: "Re: ?hack cause?"
- Reply: Gordon Ewasiuk: "Re: ?hack cause?"
- Reply: b. nyec: "RE: ?hack cause?"
- Reply: rir@vmei.acad.bg: "Re: ?hack cause?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
