Hi all,

this was my problem:

  I am running a server with Solaris 5.7. I have some network related
  problems. I can't login via network, i can't login on the console, but
  via GUI and commands like netstats fails.

  netstat looks for the file an can't open it.

  In /usr/lib i found this situation:

  -r-xr-sr-x 1 root root 50712 Sep 2 05:31
  -rw-rw-rw- 1 root sys 0 Jul 16 1997

  On other hosts in other networks i don't find this files.

  What is and where can i find it????? (And why i don't find
  it in my other systems??? :-} )

Well, i am hacked.

For the moment a little report of this hack:

- Some Files are changed: netstat, du login, ls, ps, in.telnetd, and some
  other in.*-Files.
- /usr/lib/autofs/automountd is missing.

- in.fingerd has filesize 0

- You will find dirs with name ...

- In one ...-dir will find a hint and some orig-Files:

  # more info
  -r-xr-xr-x 34 bin bin 5536 Oct 6 1998 /bin/ps
  -r-xr-sr-x 1 bin sys 50712 Oct 6 1998 /bin/netstat
  -r-sr-xr-x 1 root bin 29292 Oct 6 1998 /bin/login
  -r-xr-xr-x 1 bin bin 27344 Oct 6 1998 /usr/sbin/in.telnetd
  -r-xr-xr-x 1 bin bin 12828 Oct 6 1998 /usr/sbin/in.rshd
  -r-xr-xr-x 1 bin bin 12344 Oct 6 1998 /usr/sbin/in.rlogind

This for the moment.

Thanx to Casper Dik and here the hints from Casper:

Looks like your system has been hacked; a root kit of sorts has been installed
and it is probably trying to hide connections w/ netstat.

You can use the Solaris Fingerprint Database (under
to find bad executables.

Perhaps someone has info about this hack and a plan to clean the hosts ...


 Detlev  | Institut fuer Mikroelektronische Systeme, Uni Hannover
 Habicht | D-30167 Hannover +49 511 76219662
 --------+-------- Handy    +49 172 5415752  ---------------------------

