From: Jon Harris (j.harris@digital-ink.co.uk)
Date: Mon May 19 2003 - 05:23:42 EDT
Hi List
thanks to the replies to my recent posting.
Following the advice given - I booted from a Solaris 8 CDROM and mounted
/dev on a new /tmp folder so I could have a look at it.
I found a folder called /dev/prom and in it a file called sn.l which was
over 67Mb and another zero byte file called 'dos'. I have deleted sn.l
and I have got my disk space back - Thats the good news.
When I rebooted back from the hard drive I can't see anything in that
folder, But when I ran ls from the /bin folder on the Solaris CD - I can
see it.
The sn.l file itself is a log file, last three lines:
---------------------------
Restart on (date and time)
Log started at => (date and time) [pid 333]
---------------------------
The 333 process is the console. (Gulp!)
Next worrying thing is a folder I found called /dev/pts/01/bin/
It contains:
du
find
ls
netstat
passwd
ping
psr
su
All the files are dated Jan 5 2001
Presumably these are comprimised files and I can safely delete them?
I guess my conclusion is that it has been compromised, has anyone come
across these folder/files and have any idea what the nature of this
attack is.
Before I read any replies on this I shall put on a black armband :-(
TIA
Jon Harris
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:26:26 EDT