From: Mike van der Velden (mvanderv@redback.com)
Date: Wed Mar 24 2004 - 13:36:13 EST
Yesterday, one of our customers was complaining that our application was
running very slowly, and were asking us to have a look. It is a
Sunfire 280 running Solaris 9, relatively unpatched as best as I can
tell (it's over on the other side of the globe over a slow link).
The ps command did not reveal anything, but the prstat command did
reveal multiple (3-4) instances of a process called "solegg" running,
each taking about 15% of the CPU time. Suspicious, I downloaded and
installed 116012-02, which replaces ps. Sure enough, the new ps showed
"solegg" to be running. Given the name and the fact that the ps
commands hides this process, I felt quite sure this system had been
compromised. Strangely, "ls" seems to be unaffected, and the
chkrootkit script from http://www.chkrootkit.org could not find any
other evidence of tampering.
We don't know for sure how the solegg process infected the system, or if
or how many other programs (such as ps) have been infected. It is
likely that somebody broke into the system and placed the software
there, as I doubt it's an email transmitted virus. My recommendation
was to disconnect from the network, newfs all file systems, re-install
Solaris 9 from CD, and then apply all the latest security and
recommended patches. Only backups from the database application should
be allowed to be restored from backups.
I am somewhat familiar with "eggdrop" irc bots being placed on
compromised linux systems, so I wonder if this is similar. Perhaps it
is some other sort of "cuckoo's egg" placed by an intruder.
Unfortunately, we have only been able to find sketchy information about
solegg on the web. I googled, and I checked the sunmanagers archives,
but only came up with this one post: http://tinyurl.com/3ftsj. That
post claims that "One of the document on net shows that it has been
hacked," but does not provide a URL to this page on the net, and I have
not been able to find it.
I ran strings on the solegg binary, and this is all it came up with
----------------------------------------------------------
mvanderv[715] strings solegg | less
%d.%d.%d.%d
jess
3.3.3.3
mservers
randomsucks
skillz
tc: unknown host
ICMP
Usage: %s <dst> <src> <size> <number>
Ports are set to send and receive on port 179
dst:
Destination Address
src:
Source Address
size:
Size of packet which should be no larger than 1024 should allow for xtra
header info thru routes
num:
packets
Could not resolve %s ducknut
./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
----------------------------------------------------------
the rest is gibberish, and yes "duck" should have the first letter f,
not d. I only changed it to avoid some potential mail filters.
That's all I know. Does anyone else have any additional information on
this one? The more info I can provide to our customer service team, and
hence to the customer, the better. I don't have any further access to
this system. If I see this again, do you have any additional
recommendations on what we should check?
Thanks in advance.
-- Mike van der Velden email mvanderv@redback.com System Administrator voice 604-629-7281 Redback Networks Canada, Inc. pager 604-868-1562 200 - 4190 Still Creek Drive fax 604-294-8830 Burnaby, BC. Canada _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:20 EDT