SUMMARY: Strange problem: What is .. and i am hacked ...

From: Detlev Habicht (
Date: Sun Sep 03 2000 - 14:18:17 CDT

Hi all,

this was my problem:

  I am running a server with Solaris 5.7. I have some network related
  problems. I can't login via network, i can't login on the console, but
  via GUI and commands like netstats fails.

  netstat looks for the file an can't open it.

  In /usr/lib i found this situation:

  -r-xr-sr-x 1 root root 50712 Sep 2 05:31
  -rw-rw-rw- 1 root sys 0 Jul 16 1997

  On other hosts in other networks i don't find this files.

  What is and where can i find it????? (And why i don't find
  it in my other systems??? :-} )

Well, i am hacked.

For the moment a little report of this hack:

- Some Files are changed: netstat, du login, ls, ps, in.telnetd, and some
  other in.*-Files.
- /usr/lib/autofs/automountd is missing.

- in.fingerd has filesize 0

- You will find dirs with name ...

- In one ...-dir will find a hint and some orig-Files:

  # more info
  -r-xr-xr-x 34 bin bin 5536 Oct 6 1998 /bin/ps
  -r-xr-sr-x 1 bin sys 50712 Oct 6 1998 /bin/netstat
  -r-sr-xr-x 1 root bin 29292 Oct 6 1998 /bin/login
  -r-xr-xr-x 1 bin bin 27344 Oct 6 1998 /usr/sbin/in.telnetd
  -r-xr-xr-x 1 bin bin 12828 Oct 6 1998 /usr/sbin/in.rshd
  -r-xr-xr-x 1 bin bin 12344 Oct 6 1998 /usr/sbin/in.rlogind

This for the moment.

Thanx to Casper Dik and here the hints from Casper:

Looks like your system has been hacked; a root kit of sorts has been installed
and it is probably trying to hide connections w/ netstat.

You can use the Solaris Fingerprint Database (under
to find bad executables.

Perhaps someone has info about this hack and a plan to clean the hosts ...


 Detlev  | Institut fuer Mikroelektronische Systeme, Uni Hannover
 Habicht | D-30167 Hannover +49 511 76219662
 --------+-------- Handy    +49 172 5415752  ---------------------------

S U BEFORE POSTING please READ the FAQ located at N . and the list POLICY statement located at M A To submit questions/summaries to this list send your email message to: N A To unsubscribe from this list please send an email message to: G E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers original@subscription.address L To view an archive of this list please visit: I S T

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:16 CDT