Solaris hack
From: Jamie Lawrence (jal@abulafia.com)Date: 02/22/02
- Previous message: Johan Denoyer: "Re: ckcool?"
- In reply to: tfm@tfm.org: "Re: strange telnet behavior"
- Next in thread: Glenn Pitcher: "RE: Solaris hack"
- Next in thread: Raistlin: "Re: strange telnet behavior"
- Reply: Glenn Pitcher: "RE: Solaris hack"
- Reply: Jason Robertson: "strange udp packets"
- Reply: Matt K.: "Re: Solaris hack"
- Reply: Valdis.Kletnieks@vt.edu: "Re: Solaris hack"
- Reply: Eric Brandwine: "Re: Solaris hack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Feb 2002 20:05:06 -0800 To: <incidents@securityfocus.com> From: Jamie Lawrence <jal@abulafia.com>
I'm helping with a Solaris 8 box that was rooted.
The attacker replaced the /usr/bin/mc680*0 binaries,
so many of the usual administrative commands are
misbehaving. Is this from a rootkit anyone has seen
before?
This is a production box, and has to stay up for a while
yet (the usual bad sort of administrative neglect), so reinstalling
from scratch is not an approach I can take this minute.
I'm just looking for pointers on what I can expect, so I can
hopefully temporarily plug some holes until the box can
be rebuilt.
TIA.
-j
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Johan Denoyer: "Re: ckcool?"
- In reply to: tfm@tfm.org: "Re: strange telnet behavior"
- Next in thread: Glenn Pitcher: "RE: Solaris hack"
- Next in thread: Raistlin: "Re: strange telnet behavior"
- Reply: Glenn Pitcher: "RE: Solaris hack"
- Reply: Jason Robertson: "strange udp packets"
- Reply: Matt K.: "Re: Solaris hack"
- Reply: Valdis.Kletnieks@vt.edu: "Re: Solaris hack"
- Reply: Eric Brandwine: "Re: Solaris hack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
