This looks like the recent exploit for snmpXdmid that you can read about at
http://www.securityfocus.com/bid/2417. I've personally seen one machine
exploited with this.

-----Original Message-----
From: Christopher Wong
To: FOCUS-SUNSECURITYFOCUS.COM
Sent: 4/22/01 3:00 PM
Subject: probable hack?

When I noticed our backups weren't working right, I started to
investigate.
One of the startup scripts called the /usr/bin/ps command, and I noticed
the
file size of ps was off compared to some of our other machines running
solaris 8. I did a 'strings ps' and found this:

  /dev/pts/01/uconf.inv
  [file]
  find
  file_filters
  [ps]
  ps_filters
  [netstat]
  netstat
  net_filters
  [login]
  su_pass
  su_loc
  ping
  passwd
  shell
  /dev/pts/01/bin/psr
  lp,uconf.inv,psniff,psr
  tw33dl3
  /bin/sh

A 'strings ps' I'm guessing should normally return something like this
on
solaris 8:

  SUNW_OST_OSCMD
  %s: cannot find the ISA list
  %s: getexecname() failed
  %s: malloc(%d) failed
  %s: execve("%s") failed
  %s: cannot find/execute "%s" in ISA subdirectories

There was a README in the directory which states:

  This is: SunOS Rootkit v2.5 (C) 1997-2001 Tragedy/Dor
  If you find this file, most likely your host has been hacked by a user
  of this rootkit. If you want information about this tool, removal
instructions
  or such, please email bert.smithmbox.bol.bg
  The author takes NO RESPONSIBILITY for anyone who misuses this tool.

  Please quote the following version number in any emails.. if the
rootkit
wasnt
  installed the version will be in a file named "iver"

  17645914

There are quite a few shellscripts and solaris binary replacements in
the
/dev/pts/01 directory. There were also 5 or 6 other machines with this
directory as well. I tried aksing around and doing some research on the
web
and came back with practically nothing. Does anyone have any
suggestions?

Regards,

--
Christopher Wong
Florida Atlantic University
chrisfau.edu

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]