|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: /tmp/bob on compromised system
From: Russell Fulton (r.fulton
AUCKLAND.AC.NZ)Date: Mon Jul 24 2000 - 17:34:58 CDT
- Next message: Richard Bartlett: "Re: Which webserver exploit is this?"
- Previous message: Joe McAlerney: "Re: Sudden increase in scans."
- Next in thread: Matt Merhar: "Re: /tmp/bob on compromised system"
- Reply: Matt Merhar: "Re: /tmp/bob on compromised system"
- Reply: Jens Oeser: "Re: /tmp/bob on compromised system"
- Reply: Jeffrey F. Lawhorn: "Re: /tmp/bob on compromised system"
- Reply: Adam Pendleton: "Re: /tmp/bob on compromised system"
- Reply: Lynch Sean: "Re: /tmp/bob on compromised system"
- Reply: Fredrik Ostergren: "Re: /tmp/bob on compromised system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Greetings,
We recently had a solaris 7 box compromised. We *think* that
the crackers got initial access through the oracle account which has
the default password :-(.
Network logs show a finger to the box (which sent 3 chars and returned
600, presumably the list of accounts). This was followed a few seconds
later by a telnet session. Logs were destroyed so we can not say with
any certainty which account was accessed.
The compromise was discovered when the admin noticed some odd files in
/tmp and unfortunately he deleted them. One of the files he remembers
deleting was /tmp/bob, now that rings a bell in my memory but I can't
find any reference to it on securityfocus or anywhere else. I assume
that this is a file left from a local elevation of priviledge attack
but I would like confirmation of that.
Cheers, Russell.
- Next message: Richard Bartlett: "Re: Which webserver exploit is this?"
- Previous message: Joe McAlerney: "Re: Sudden increase in scans."
- Next in thread: Matt Merhar: "Re: /tmp/bob on compromised system"
- Reply: Matt Merhar: "Re: /tmp/bob on compromised system"
- Reply: Jens Oeser: "Re: /tmp/bob on compromised system"
- Reply: Jeffrey F. Lawhorn: "Re: /tmp/bob on compromised system"
- Reply: Adam Pendleton: "Re: /tmp/bob on compromised system"
- Reply: Lynch Sean: "Re: /tmp/bob on compromised system"
- Reply: Fredrik Ostergren: "Re: /tmp/bob on compromised system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]