RE: Solaris hack

From: Glenn Pitcher (gpitcher@san.rr.com)
Date: 02/23/02


From: "Glenn Pitcher" <gpitcher@san.rr.com>
To: "Jamie Lawrence" <jal@abulafia.com>
Date: Fri, 22 Feb 2002 21:00:07 -0800

Well, the reality is, there really isn't any way of knowing just what to
expect. Especially since this is a production box, my suggestion is to
bring the system down *as soon as possible* (moan, sigh) fix the problem
(while keeping track of the downtime) then go to management and say - this
is why we need to purchase/upgrade our security systems, look at the
production time we've lost. Yes, its going to be a real headache and people
are going to loose sleep but this is the price we pay for being SysAdmins.

-------
Glenn Pitcher
System Administration / Security / Networking
(858) 674-1847 (home)
(858) 243-3433 (cell)
gpitcher@san.rr.com

-----Original Message-----
From: Jamie Lawrence [mailto:jal@abulafia.com]
Sent: Thursday, February 21, 2002 8:05 PM
To: incidents@securityfocus.com
Subject: Solaris hack

I'm helping with a Solaris 8 box that was rooted.

The attacker replaced the /usr/bin/mc680*0 binaries,
so many of the usual administrative commands are
misbehaving. Is this from a rootkit anyone has seen
before?

This is a production box, and has to stay up for a while
yet (the usual bad sort of administrative neglect), so reinstalling
from scratch is not an approach I can take this minute.

I'm just looking for pointers on what I can expect, so I can
hopefully temporarily plug some holes until the box can
be rebuilt.

TIA.

-j

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: PDL anti-spam blacklist
    ... >:> This list is provided by the SecurityFocus ARIS analyzer service. ... >:> For more information on this free incident handling, management ... >:> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Linux Kernel Exploits / ABFrag
    ... There have been lots of rumors ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Bind 9.2.X exploit???
    ... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ... >>> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: "Code Red" worm questions
    ... but from other research we think the worm only tries to attack ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: ...
    (Incidents)
  • RE: Ip spoof from 0.0.0.0
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)