Re: Solaris hack

From: Steve Huston (huston@astro.Princeton.EDU)
Date: 02/28/02 

Date: Thu, 28 Feb 2002 16:29:04 -0500 (EST)
From: Steve Huston <huston@astro.Princeton.EDU>
To: "Christopher X. Candreva" <chris@westnet.com>

On Mon, 25 Feb 2002, Christopher X. Candreva wrote:

> On Fri, 22 Feb 2002, Matt K. wrote:
>
> > They most likely got in via dtspcd or ttdbserver. Run strings on
> > /usr/ucb/ps and see if you see 'sexygurl' near the end. Also, check the
> > dates on files such as /bin/ls. The rookit doesn't seem to change the
>
> Specificly, u370 was the real login, and login was replaced.
>
> They replace the program that ID cpu types that will never be run.

I just got one of these too; upon booting from CD and doing a little poking
around, I found in /usr/lib/vold/nsdap the file 'defines', which contained the
following:

======

# Edit these
# Dir to install rootkit in
RKDIR="/usr/lib/vold/nsdap"
# Your email address
EMAIL="bert.smith@mbox.bol.bg"
# debug mode on or off
DEBUG=0

# file location settings

BACKUP_LS="/usr/bin/mc68000"
BACKUP_DU="/usr/bin/mc68010"
BACKUP_PS="/usr/bin/mc68020"
BACKUP_UCBPS="/usr/ucb/bin/ps"
BACKUP_SU="/usr/bin/m68k"
BACKUP_PASSWD="/usr/bin/sun2"
BACKUP_FIND="/usr/bin/mc68030"
BACKUP_NETSTAT="/usr/bin/mc68040"
BACKUP_PING="/usr/bin/sun3"
BACKUP_STRINGS="/usr/bin/sun3x"
BACKUP_LSOF="/usr/bin/lso"
BACKUP_LOGIN="/usr/bin/u370"

====== 

-- 
Steve Huston - System Administrator, Dept. of Astrophysical Sciences
 Princeton University  |     ICBM Address: 40.346525   -74.651285
   126 Peyton Hall     |"On my ship, the Rocinante, wheeling through
 Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
   (609) 258-7375      | headlong into mystery."  -Rush, 'Cygnus X-1'

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Quantcast