When I noticed our backups weren't working right, I started to investigate.
One of the startup scripts called the /usr/bin/ps command, and I noticed the
file size of ps was off compared to some of our other machines running
solaris 8. I did a 'strings ps' and found this:

  /dev/pts/01/uconf.inv
  [file]
  find
  file_filters
  [ps]
  ps_filters
  [netstat]
  netstat
  net_filters
  [login]
  su_pass
  su_loc
  ping
  passwd
  shell
  /dev/pts/01/bin/psr
  lp,uconf.inv,psniff,psr
  tw33dl3
  /bin/sh

A 'strings ps' I'm guessing should normally return something like this on
solaris 8:

  SUNW_OST_OSCMD
  %s: cannot find the ISA list
  %s: getexecname() failed
  %s: malloc(%d) failed
  %s: execve("%s") failed
  %s: cannot find/execute "%s" in ISA subdirectories

There was a README in the directory which states:

  This is: SunOS Rootkit v2.5 (C) 1997-2001 Tragedy/Dor
  If you find this file, most likely your host has been hacked by a user
  of this rootkit. If you want information about this tool, removal
instructions
  or such, please email bert.smithmbox.bol.bg
  The author takes NO RESPONSIBILITY for anyone who misuses this tool.

  Please quote the following version number in any emails.. if the rootkit
wasnt
  installed the version will be in a file named "iver"

  17645914

There are quite a few shellscripts and solaris binary replacements in the
/dev/pts/01 directory. There were also 5 or 6 other machines with this
directory as well. I tried aksing around and doing some research on the web
and came back with practically nothing. Does anyone have any suggestions?

Regards,

--
Christopher Wong
Florida Atlantic University
chrisfau.edu

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]