|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: SecLists (lists
secure.stargate.net)Date: Thu Feb 14 2002 - 10:53:39 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All:
Just saw a Solaris rootkit that was installed apparently, after a
successful compromise of the dtspcd service on a Solaris 7 box...
I had never seen it before and for those that also haven't, it installed
in /usr/lib/vold/nsdap which isnt seen with regular ls... /dev/null's all
the logs, etc.
There are a few executable shell scripts in there... There is also a
/etc/init.d/network added with the following contents:
/usr/bin/sshd2 -q
This sshd runs on port 17811...
Too much to cover in one email... replaces the normal ps, netstat, etc...
I can send a copy of the rootkit if there are enough people out there that
haven't seen this...
thanks,
shawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8a+ue3Qw8DHute6kRAtbjAJ9AIqFuKPNGLKGKmJ3TRUELRaqgDgCdF95X
m6aM2pprjmHk67/aFUeTSM0=
=FHgr
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]