Re: .baa0xdd1r??

From: Lance Spitzner (lance@honeynet.org)
Date: 07/30/01


Date: Mon, 30 Jul 2001 15:08:17 -0500 (CDT)
From: Lance Spitzner <lance@honeynet.org>
To: SecLists <lists@secure.stargate.net>
Subject: Re: .baa0xdd1r??
Message-ID: <Pine.LNX.4.30.0107301506020.12401-100000@marge.spitzner.net>

On Mon, 30 Jul 2001, SecLists wrote:

> We have a customer's system that we believe was hacked...
>
> in /var/tmp there is a binary file:
> .baa0xdd1r
>
> it appears to have replaced /usr/sbin/in.telnetd
>
> /bin/login also appears suspect...
>
> this is:
> bash-2.01# uname -a
> SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1

> does this sound like a familiar rootkit? or is something totally new?

Since this is a Solaris box, I HIGHLY recommend you check out Sun's
fingerprint database. Sun Microsystems has put online the MD5
hash of every binary they have distributed for the Solaris environment,
including all patched versions. This database is very similar
to a Tripwire snapshot for your binaries, and will confirm if
you have been compromised or not.

  http://sunsolve.Sun.COM/pub-cgi/show.pl?target=content/content7

If you have been compromised, two great sites to start with are

   http://www.cert.org
   http://www.securityfocus.com

best of luck :)

lance

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com