Re: Solaris hack

From: Christopher X. Candreva (chris@westnet.com)
Date: 02/25/02


Date: Mon, 25 Feb 2002 10:58:14 -0500 (EST)
From: "Christopher X. Candreva" <chris@westnet.com>
To: "Matt K." <matt@mail.ucf.edu>

On Fri, 22 Feb 2002, Matt K. wrote:

> They most likely got in via dtspcd or ttdbserver. Run strings on
> /usr/ucb/ps and see if you see 'sexygurl' near the end. Also, check the
> dates on files such as /bin/ls. The rookit doesn't seem to change the

Also these:
-r-sr-xr-x 1 root root 17156 Jan 14 20:56 m68k
-rwxr-xr-x 1 root root 301632 Jan 14 20:56 mc68000
-r-xr-xr-x 1 root root 9296 Jan 14 20:56 mc68010
-r-sr-xr-x 1 root root 36520 Jan 14 20:56 mc68020
-r-xr-xr-x 1 root root 20064 Jan 14 20:56 mc68030
-r-xr-sr-x 1 root root 55168 Jan 14 20:56 mc68040
-rwxr-xr-x 1 root root 558868 Jan 14 20:56 sshd2
-r-sr-sr-x 1 root root 101744 Jan 14 20:56 sun2
-r-sr-xr-x 1 root root 48028 Jan 14 20:56 sun3
-r-xr-xr-x 1 root root 9028 Jan 14 20:56 sun3x
-r-sr-xr-x 1 root root 29200 Jan 14 20:56 u370
-r-xr-xr-x 1 root root 5256 Jan 14 20:57 w

(cut/paste from a machine I fixed 2 weeks ago. Dates are when our machine
got hacked, not relavant for you).

Specificly, u370 was the real login, and login was replaced.

They replace the program that ID cpu types that will never be run.

==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages