OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: /tmp/bob on compromised system
From: Adam Pendleton (APendletonVGSINC.COM)
Date: Mon Jul 24 2000 - 20:56:23 CDT

I seem to recall that the /tmp/bob file is part of the ingreslock exploit.
Check out the CERT Incident Note IN-99-04 and related CERT stuff for more
information.

Adam H. Pendleton
Security Engineer
VGS, Inc.
Fairfax, Virginia

-----Original Message-----
From: Russell Fulton [mailto:r.fultonAUCKLAND.AC.NZ]
Sent: Monday, July 24, 2000 18:35
To: INCIDENTSSECURITYFOCUS.COM
Subject: /tmp/bob on compromised system

Greetings,
          We recently had a solaris 7 box compromised. We *think* that
the crackers got initial access through the oracle account which has
the default password :-(.

Network logs show a finger to the box (which sent 3 chars and returned
600, presumably the list of accounts). This was followed a few seconds
later by a telnet session. Logs were destroyed so we can not say with
any certainty which account was accessed.

The compromise was discovered when the admin noticed some odd files in
/tmp and unfortunately he deleted them. One of the files he remembers
deleting was /tmp/bob, now that rings a bell in my memory but I can't
find any reference to it on securityfocus or anywhere else. I assume
that this is a file left from a local elevation of priviledge attack
but I would like confirmation of that.

Cheers, Russell.