fredrik.ostergrenFREEBOX.COM

• Next message: Vladimir Ivaschenko: "Re: foreign HTTP requests"
• Previous message: Security: "Re: /tmp/bob on compromised system"
• In reply to: Russell Fulton: "/tmp/bob on compromised system"
• Next in thread: Jeffrey F. Lawhorn: "Re: /tmp/bob on compromised system"
• Reply: Fredrik Ostergren: "Re: /tmp/bob on compromised system"
• Reply: Jeffrey F. Lawhorn: "Re: /tmp/bob on compromised system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,
          We recently had a solaris 7 box compromised. We
*think* that
the crackers got initial access through the oracle account
which has
the default password :-(.

Network logs show a finger to the box (which sent 3 chars
and returned
600, presumably the list of accounts). This was followed a
few seconds
later by a telnet session. Logs were destroyed so we can
not say with
any certainty which account was accessed.

The compromise was discovered when the admin noticed some
odd files in
/tmp and unfortunately he deleted them. One of the files
he remembers
deleting was /tmp/bob, now that rings a bell in my memory
but I can't
find any reference to it on securityfocus or anywhere
else. I assume
that this is a file left from a local elevation of
priviledge attack
but I would like confirmation of that.

Cheers, Russell.

Well, all the stuff about rpc.statd is bullshit. First of
all, rpc.statd isn't vurnable in SunOS 5.7. The attacker
was exploiting rpc.cmsd. 100% sure. Contact me for more
info at: fredrik.ostergrenfreebox.com.

/ Fredrik.

• Next message: Vladimir Ivaschenko: "Re: foreign HTTP requests"
• Previous message: Security: "Re: /tmp/bob on compromised system"
• In reply to: Russell Fulton: "/tmp/bob on compromised system"
• Next in thread: Jeffrey F. Lawhorn: "Re: /tmp/bob on compromised system"
• Reply: Fredrik Ostergren: "Re: /tmp/bob on compromised system"
• Reply: Jeffrey F. Lawhorn: "Re: /tmp/bob on compromised system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]