OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: /tmp/bob on compromised system
From: Matt Merhar (grid_goolahHOTMAIL.COM)
Date: Mon Jul 24 2000 - 23:37:25 CDT

/tmp/bob is a sign that you've been compromised through known rpc exploits,
such as ttdb/cmsd/statd, and the likes. /tmp/bob is used as the
configuration file for the inetd process the exploit starts, which usually
puts a bindshell on ingreslock (port 1524)

>From: Russell Fulton <r.fultonAUCKLAND.AC.NZ>
>Reply-To: r.fultonAUCKLAND.AC.NZ
>To: INCIDENTSSECURITYFOCUS.COM
>Subject: /tmp/bob on compromised system
>Date: Tue, 25 Jul 2000 10:34:58 +1200
>
>Greetings,
> We recently had a solaris 7 box compromised. We *think* that
>the crackers got initial access through the oracle account which has
>the default password :-(.
>
>Network logs show a finger to the box (which sent 3 chars and returned
>600, presumably the list of accounts). This was followed a few seconds
>later by a telnet session. Logs were destroyed so we can not say with
>any certainty which account was accessed.
>
>The compromise was discovered when the admin noticed some odd files in
>/tmp and unfortunately he deleted them. One of the files he remembers
>deleting was /tmp/bob, now that rings a bell in my memory but I can't
>find any reference to it on securityfocus or anywhere else. I assume
>that this is a file left from a local elevation of priviledge attack
>but I would like confirmation of that.
>
>Cheers, Russell.

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com