this was my problem:
I am running a server with Solaris 5.7. I have some network related
problems. I can't login via network, i can't login on the console, but
via GUI and commands like netstats fails.
netstat looks for the file ldlibns.so an can't open it.
In /usr/lib i found this situation:
-r-xr-sr-x 1 root root 50712 Sep 2 05:31 ldlibnet.so
-rw-rw-rw- 1 root sys 0 Jul 16 1997 ldlibns.so
On other hosts in other networks i don't find this files.
What is ldlibns.so and where can i find it????? (And why i don't find
it in my other systems??? :-} )
Well, i am hacked.
For the moment a little report of this hack:
- Some Files are changed: netstat, du login, ls, ps, in.telnetd, and some
- /usr/lib/autofs/automountd is missing.
- in.fingerd has filesize 0
- You will find dirs with name ...
- In one ...-dir will find a hint and some orig-Files:
# more info
-r-xr-xr-x 34 bin bin 5536 Oct 6 1998 /bin/ps
-r-xr-sr-x 1 bin sys 50712 Oct 6 1998 /bin/netstat
-r-sr-xr-x 1 root bin 29292 Oct 6 1998 /bin/login
-r-xr-xr-x 1 bin bin 27344 Oct 6 1998 /usr/sbin/in.telnetd
-r-xr-xr-x 1 bin bin 12828 Oct 6 1998 /usr/sbin/in.rshd
-r-xr-xr-x 1 bin bin 12344 Oct 6 1998 /usr/sbin/in.rlogind
This for the moment.
Thanx to Casper Dik and here the hints from Casper:
Looks like your system has been hacked; a root kit of sorts has been installed
and it is probably trying to hide connections w/ netstat.
You can use the Solaris Fingerprint Database (under sunsolve.sun.com)
to find bad executables.
Perhaps someone has info about this hack and a plan to clean the hosts ...
-- Detlev | Institut fuer Mikroelektronische Systeme, Uni Hannover Habicht | D-30167 Hannover +49 511 76219662 email@example.com --------+-------- Handy +49 172 5415752 ---------------------------
S U BEFORE POSTING please READ the FAQ located at N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq . and the list POLICY statement located at M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy A To submit questions/summaries to this list send your email message to: N firstname.lastname@example.org A To unsubscribe from this list please send an email message to: G email@example.com E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers firstname.lastname@example.org L To view an archive of this list please visit: I http://www.latech.edu/sunman.html S T
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:16 CDT