|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Steve Mancini (smancini
ICHIPS.INTEL.COM)Date: Wed Jan 17 2001 - 17:11:51 CST
-----Original Message-----
From: Byron Rendar [mailto:byronrmcmurdo.oci.pcc.edu]
Sent: Wednesday, January 17, 2001 12:37 PM
Subject: hack indications
Hi,
Does any of this indicate how/what happened?
FIRST
My logs had entries like the following about the time
I think the breakin occurred.
Jan 14 13:06:07 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error
Jan 14 13:06:47 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error
Jan 14 13:07:15 mcmurdo last message repeated 1 time
Jan 14 13:07:49 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal
Instruction
Jan 14 13:08:09 mcmurdo last message repeated 1 time
Jan 14 13:08:19 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Bus Error
Jan 14 13:10:05 mcmurdo last message repeated 5 times
Jan 14 13:10:16 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal
Instruction
Jan 14 13:10:24 mcmurdo last message repeated 1 time
Jan 14 13:10:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:10:27 mcmurdo last message repeated 1 time
Jan 14 13:10:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:10:57 mcmurdo last message repeated 2 times
Jan 14 13:11:23 mcmurdo inetd[183]: /usr/dt/bin/rpc.cmsd: Illegal
Instruction
Jan 14 13:11:31 mcmurdo last message repeated 1 time
Jan 14 13:11:32 mcmurdo /usr/dt/bin/rpc.ttdbserverd[2708]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting...
Jan 14 13:11:33 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd:
Segmentation Fault - core dumped
Jan 14 13:11:34 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3548]: iserase(): 78
Jan 14 13:11:35 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3548]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting...
Jan 14 13:11:35 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd:
Segmentation Fault - core dumped
Jan 14 13:11:37 mcmurdo /usr/dt/bin/rpc.ttdbserverd[3549]: iserase(): 78
Jan 14 13:20:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:20:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:30:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:30:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:40:27 mcmurdo inetd[3542]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:40:57 mcmurdo inetd[3545]: ingreslock/tcp: bind: Address already
in use
Jan 14 13:46:58 mcmurdo inetd[183]: /usr/dt/bin/rpc.ttdbserverd: Killed
Jan 14 20:30:01 mcmurdo telnetd[5002]: ttloop: peer died: Bad file number
SECOND
I found a binary /sbin/xlogin that was new.
THIRD
I found a directory in /dev/pts called 01 modified 1/14/01.
It contained:
/diskt2/home/byronr/preserve/01:
bin
cleaner
crypt
l3
patcher
pg
su-backup
uconf.inv
utime
/diskt2/home/byronr/preserve/01/bin:
du
find
ls
netstat
passwd
ping
psr
su
Patcher looks like:
#!/bin/sh
VER=`uname -r`
cd /tmp
# ./install_cluster -nosave -q
# Ok.. so if theyre not lame, and running this on SunOS like they should...
case $VER in
5.5)
# 5.5 patchkit replaces su, ps, ping, login
cp /usr/bin/su /dev/pts/01/55su
cp /usr/bin/ps /dev/pts/01/55ps
cp /usr/sbin/ping /dev/pts/01/55ping
cp /usr/bin/login /dev/pts/01/55login
etc.
----- End of forwarded message from Mancini, Steve -----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]