RE: Solaris hack

From: Glenn Pitcher (gpitcher@san.rr.com)
Date: 02/23/02


From: "Glenn Pitcher" <gpitcher@san.rr.com>
To: "Jamie Lawrence" <jal@abulafia.com>
Date: Fri, 22 Feb 2002 21:00:07 -0800

Well, the reality is, there really isn't any way of knowing just what to
expect. Especially since this is a production box, my suggestion is to
bring the system down *as soon as possible* (moan, sigh) fix the problem
(while keeping track of the downtime) then go to management and say - this
is why we need to purchase/upgrade our security systems, look at the
production time we've lost. Yes, its going to be a real headache and people
are going to loose sleep but this is the price we pay for being SysAdmins.

-------
Glenn Pitcher
System Administration / Security / Networking
(858) 674-1847 (home)
(858) 243-3433 (cell)
gpitcher@san.rr.com

-----Original Message-----
From: Jamie Lawrence [mailto:jal@abulafia.com]
Sent: Thursday, February 21, 2002 8:05 PM
To: incidents@securityfocus.com
Subject: Solaris hack

I'm helping with a Solaris 8 box that was rooted.

The attacker replaced the /usr/bin/mc680*0 binaries,
so many of the usual administrative commands are
misbehaving. Is this from a rootkit anyone has seen
before?

This is a production box, and has to stay up for a while
yet (the usual bad sort of administrative neglect), so reinstalling
from scratch is not an approach I can take this minute.

I'm just looking for pointers on what I can expect, so I can
hopefully temporarily plug some holes until the box can
be rebuilt.

TIA.

-j

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com