|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: sadmind hack?
From: Chad Roberts (mcr
DYSON.SPHERE.COM)Date: Fri Apr 14 2000 - 07:49:56 CDT
- Next message: Tony Lambiris: "Port 6502"
- Previous message: Marc Slemko: "Re: route oddness"
- In reply to: Yip Chan Keong: "sadmind hack?"
- Next in thread: Robert Graham: "Re: sadmind hack?"
- Reply: Chad Roberts: "Re: sadmind hack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Apr 13, 2000 at 02:13:09PM +0800, Yip Chan Keong wrote:
> I have gotten the following messages in my /var/adm/messages file on my
> solaris 2.6 host. is it a sign of break in? telnet and ftp on my host are
> limited by tcp wrappers. any idea how is the exploit made?
>
> Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped
> Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault - core
> dumped
> Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped
> Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault - core
> dumped
> Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup
>
> many thanks and regards,
> /yck
I just recently investigated a box for a client that got hacked into, and
sadmind is how they got in, at least as best I can tell. Entries exactly
like those were in the messages file. Chances are that unless you patched
against this (patch released Dec. '99, I think) you've been hacked. I'd be
interested in discussing details of what sorts of trojans, backdoors, etc.
you've discovered, if any.
--Chad Roberts Senior System Engineer chad
- Next message: Tony Lambiris: "Port 6502"
- Previous message: Marc Slemko: "Re: route oddness"
- In reply to: Yip Chan Keong: "sadmind hack?"
- Next in thread: Robert Graham: "Re: sadmind hack?"
- Reply: Chad Roberts: "Re: sadmind hack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]