|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: /tmp/bob on compromised system
From: Jens Oeser (Jens.Oeser
CONNECTOR.DE)Date: Tue Jul 25 2000 - 03:34:55 CDT
- Next message: Lic. Rodolfo Gonzalez Gonzalez: "sunrpc scans"
- Previous message: Joseph Pingenot: "Re: /tmp/bob on compromised system"
- Maybe in reply to: Russell Fulton: "/tmp/bob on compromised system"
- Next in thread: Jeffrey F. Lawhorn: "Re: /tmp/bob on compromised system"
- Maybe reply: Jens Oeser: "Re: /tmp/bob on compromised system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi!
Well "/tmp/bob" is just an inetd.conf like file which is created by some RPC
Exploits from Horizon. A second inetd is launched and reads that file to
start a bindshell which mostly binds to port 1524 (ingreslock). Maybe that
was a cmsd exploit, take a look to /var/spool/calendar ... maybe there
still is a file "callog.root.SOMETHING" ... look at the end of that file,
the "Author" entry could be your attacker. Note that a normal "root" user
creates a "callog.root.SOMETHING" file also.
Maybe you should think about proper packetfiltering, if that attack came
from the internet. Filter out the portmapper AND the RPC Ports ... filtering
only portmap does not make much sense, everytime a RPC Service is called
from within the network, it is available for every bad guy in the inet.
regards,
Jens Oeser
> -----Ursprüngliche Nachricht-----
> Von: Russell Fulton [mailto:r.fultonAUCKLAND.AC.NZ]
> Gesendet: Dienstag, 25. Juli 2000 00:35
> An: INCIDENTSSECURITYFOCUS.COM
> Betreff: /tmp/bob on compromised system
>
>
> Greetings,
> We recently had a solaris 7 box compromised. We *think* that
> the crackers got initial access through the oracle account which has
> the default password :-(.
>
> Network logs show a finger to the box (which sent 3 chars and returned
> 600, presumably the list of accounts). This was followed a
> few seconds
> later by a telnet session. Logs were destroyed so we can not say with
> any certainty which account was accessed.
>
> The compromise was discovered when the admin noticed some odd files in
> /tmp and unfortunately he deleted them. One of the files he remembers
> deleting was /tmp/bob, now that rings a bell in my memory but I can't
> find any reference to it on securityfocus or anywhere else. I assume
> that this is a file left from a local elevation of priviledge attack
> but I would like confirmation of that.
>
> Cheers, Russell.
>
- Next message: Lic. Rodolfo Gonzalez Gonzalez: "sunrpc scans"
- Previous message: Joseph Pingenot: "Re: /tmp/bob on compromised system"
- Maybe in reply to: Russell Fulton: "/tmp/bob on compromised system"
- Next in thread: Jeffrey F. Lawhorn: "Re: /tmp/bob on compromised system"
- Maybe reply: Jens Oeser: "Re: /tmp/bob on compromised system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]