From: Mike van der Velden (mvanderv@redback.com)
Date: Wed Mar 24 2004 - 16:20:15 EST
I added a few extra keywords in the subject line so people searching the
archives might hit this as well.
Thank you to the following people for their quick responses
Lonnie Ratliff
Casper Dik
Stepan Kucherenko
Joe Fletcher
And the gold star goes to:
Chris Medaglia
First off, Casper suggested the following if you suspect you have been
compromised:
Run "pkgchk -n" (it's known that some don't bother updating
the checksum file) and filter important binaries through the
Solaris fingerprint database:
http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
Lonnie had some other suggestions that might provide additional information:
1. Find a system at the same patch level, then check the sum of
all the binaries in /bin and /sbin against the good system.
2. Try using the /usr/ucb binaries to see if you get different
results.
3. Check the rc scripts in /sbin to make sure they haven't been
modified to run something at startup.
4. Before you change anything, us a "secure" ls -alc check the
modified dates. This may assist to see how long you have been
cracked.
A few people pointed out a post to comp.unix.solaris from last September
with the same issue, but with Solaris 8:
http://unix.derkeiler.com/Newsgroups/comp.unix.solaris/2003-09/2308.html
Chris was really enterprising, in that he googled for some of the output
that I had posted that came from strings. Specifically, he googled for
"jess randomsucks" and got some more hits.
Here is one excellent analysis of an attack on a Solaris box.
http://www.honeynet.org/scans/scan28/sol/official
It has many things in common with my solegg problem. This analysis has
some links to other sites, and it makes for fascinating reading. I
found myself using that article as a good starting point for more googles.
There are more hits and references to the Tribe Flood Network DDoS
attack: http://www.cert.org/incident_notes/IN-99-07.html
It don't discuss the solegg problem, but it seems that the strings
output on the TFN attack has the same few lines in it, indicating that
the same group may have built the solegg crack as well.
For further reading, I suggest the following:
http://www-scf.usc.edu/~bozhang/personal/PDFs/ddos.pdf
http://ufsdump.org/labs/unix-forensics.html
So, I am guessing that the cracker used a buffer overflow vulnerability
in dtspcd(1m), the CDE Subprocess Control Service, first described in
http://www.cert.org/advisories/CA-2001-31.html
Sun Security Bulletin 00214
<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214>
Sun Alert Notification 41764
<http://sunsolve6.sun.com/search/document.do?assetkey=1-26-41764-1&searchclause=CA-2001-31>
I may be wrong on this, as Sun has released patches for Solaris 8 and
earlier, but not for Solaris 9, leading me to suspect that Sun has
included the fix as part of the base Solaris 9 release. At any rate,
the crackers likely used some sort of buffer overflow to gain access.
Once they had access, they likely installed a rootkit, such as
http://www.honeynet.org/scans/scan28/sol/2/setup.html,
and then installed solegg. I think solegg is an irc bot.
Regardless if Sun has patched this or not, I will be disabling port 6112
from /etc/services, and dtspcd from /etc/inetd.conf, both of which are
enabled by default on Solaris 9.
Thanks again for all your help.
Mike
Mike van der Velden wrote:
> Yesterday, one of our customers was complaining that our application was
> running very slowly, and were asking us to have a look. It is a
> Sunfire 280 running Solaris 9, relatively unpatched as best as I can
> tell (it's over on the other side of the globe over a slow link).
>
> The ps command did not reveal anything, but the prstat command did
> reveal multiple (3-4) instances of a process called "solegg" running,
> each taking about 15% of the CPU time. Suspicious, I downloaded and
> installed 116012-02, which replaces ps. Sure enough, the new ps showed
> "solegg" to be running. Given the name and the fact that the ps
> commands hides this process, I felt quite sure this system had been
> compromised. Strangely, "ls" seems to be unaffected, and the
> chkrootkit script from http://www.chkrootkit.org could not find any
> other evidence of tampering.
>
> We don't know for sure how the solegg process infected the system, or if
> or how many other programs (such as ps) have been infected. It is
> likely that somebody broke into the system and placed the software
> there, as I doubt it's an email transmitted virus. My recommendation
> was to disconnect from the network, newfs all file systems, re-install
> Solaris 9 from CD, and then apply all the latest security and
> recommended patches. Only backups from the database application should
> be allowed to be restored from backups.
>
> I am somewhat familiar with "eggdrop" irc bots being placed on
> compromised linux systems, so I wonder if this is similar. Perhaps it
> is some other sort of "cuckoo's egg" placed by an intruder.
> Unfortunately, we have only been able to find sketchy information about
> solegg on the web. I googled, and I checked the sunmanagers archives,
> but only came up with this one post: http://tinyurl.com/3ftsj. That
> post claims that "One of the document on net shows that it has been
> hacked," but does not provide a URL to this page on the net, and I have
> not been able to find it.
>
> I ran strings on the solegg binary, and this is all it came up with
>
> ----------------------------------------------------------
> mvanderv[715] strings solegg | less
> %d.%d.%d.%d
> jess
> 3.3.3.3
> mservers
> randomsucks
> skillz
> tc: unknown host
> ICMP
> Usage: %s <dst> <src> <size> <number>
> Ports are set to send and receive on port 179
> dst:
> Destination Address
> src:
> Source Address
> size:
> Size of packet which should be no larger than 1024 should allow for xtra
> header info thru routes
> num:
> packets
> Could not resolve %s ducknut
> ./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
> ----------------------------------------------------------
>
> the rest is gibberish, and yes "duck" should have the first letter f,
> not d. I only changed it to avoid some potential mail filters.
>
> That's all I know. Does anyone else have any additional information on
> this one? The more info I can provide to our customer service team, and
> hence to the customer, the better. I don't have any further access to
> this system. If I see this again, do you have any additional
> recommendations on what we should check?
>
> Thanks in advance.
>
> --
> Mike van der Velden email mvanderv@redback.com
> System Administrator voice 604-629-7281
> Redback Networks Canada, Inc. pager 604-868-1562
> 200 - 4190 Still Creek Drive fax 604-294-8830
> Burnaby, BC. Canada
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:20 EDT