SUMMERY rootkit Re: Solaris 10 ps command error.

From: simonb (simonb@zapik.co.uk)
Date: Mon Nov 13 2006 - 11:02:29 EST

• Next message: Dave Martini: "How to undo a disksuite mirror"
• Previous message: JV: "SUMMARY: Re: awk ">" number comparisons; scripting help request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> Hi
>
> I hope you can help me. When I issue a ps -ef command I get the
> following:
>
> # ps -ef
> /usr/lib/libX.a/bin/rps: cannot find/execute "rps" in ISA subdirectories
> #
>
> I think this server has had a rootkit installed because of the existence
> of the /usr/lib/libX.a directory.
>
> Can anybody confirm this directory exists on a standard install please.
> Any advice would be greatly appreciated.
>
> Thanks.
>
> Simon.

Yes the system was attacked and a rootkit installed. It looks like a SMC
exploit was used to gain root access from a user with poor password.

Jass ver 4.2 has now been applied to the server along with a tightening
up of the hardening process. That will teach them :)
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Dave Martini: "How to undo a disksuite mirror"
• Previous message: JV: "SUMMARY: Re: awk ">" number comparisons; scripting help request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:41:10 EDT