SUMMARY recovering from hack

From: Deborah Crocker (
Date: Tue Aug 17 1999 - 15:07:48 CDT

Thanks to many for help. The result was that /usr/bin/login
and /usr/bin/ps are binary compatible between the ultra machines
and the sparc 5. Checked m5d checksums to confirm this.

I do appreciate advice which came back..."you should have had
backup" but as a User Service Consultant I am rather more like
a medic than a general. I get called in to clean up the mess.

The machines were not rebuilt from scratch. The hacker was a "script
kiddie" judging by how much trash was left around. His (her?) changes
were pretty obvious. They ran a sniffer and left a log of their own
connection activity. And since they broke /usr/bin/login on several
machines and took rpc.cmsd out of inetd.conf they weren't able to get
back to see what they had done. I was able to see where they got their
hacked versions of login and ps and where they launched from. Those
machine owners have been notified. Since the machines were on a pretty
isolated piece of network they didn't sniff much.

Rest assured that the affected machines now have tcpwrappers and

Deb Crocker
User Service
Seebeck Computer Center
University of Alabama

The original question was:
> Our campus was hacked on the weekend on a couple of machines that had the
> rpc.cmsd hole open. The attacker replaced binaries for /usr/bin/login
> and /usr/bin/ps.
> On the ultra machines that were hit I was able to restore from an
> untouched machine. The last machine to fix up is a Sparc 5 running
> Solaris 2.6 (sun4m). I'm assuming I can't just grab the Ultra binaries
> (sun4u) in this case. Or that perhaps at least ps is not the same. I
> have no other 2.6 machine of like type at my disposal.
> What's the best way to restore? I do have the CD

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:24 CDT