.baa0xdd1r??
From: SecLists (lists@secure.stargate.net)Date: 07/30/01
- Previous message: Stephen Malenshek: "Mail Issue"
- Next in thread: Bill Burge: "Re: .baa0xdd1r??"
- Reply: Bill Burge: "Re: .baa0xdd1r??"
- Reply: Lance Spitzner: "Re: .baa0xdd1r??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Jul 2001 11:48:05 -0400 (EDT) From: SecLists <lists@secure.stargate.net> To: <incidents@securityfocus.com> Subject: .baa0xdd1r?? Message-ID: <Pine.BSO.4.33.0107301145220.4022-100000@secure.stargate.net>
We have a customer's system that we believe was hacked...
in /var/tmp there is a binary file:
.baa0xdd1r
it appears to have replaced /usr/sbin/in.telnetd
/bin/login also appears suspect...
this is:
bash-2.01# uname -a
SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1
does this sound like a familiar rootkit? or is something totally new?
we are still gathering info but I wanted to post this soon in the chance
that someone has dealt with this before.. don't want to have to reinvent
the wheel...
thanks,
shawn
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Stephen Malenshek: "Mail Issue"
- Next in thread: Bill Burge: "Re: .baa0xdd1r??"
- Reply: Bill Burge: "Re: .baa0xdd1r??"
- Reply: Lance Spitzner: "Re: .baa0xdd1r??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
