SUMMARY: hacked help

From: Kevin Metzger <>
Date: Fri Apr 04 2003 - 08:46:45 EST
First, thanks to the 42 people who responded.

By far the most frequent response was to check md56 fingerprints at
http://sunsolve.Sun.COM/pub-cgi/ .  I downloaded the md5
from .  One suggestion for .

Another suggestion was to get and run chkrootkit from which I did first.  That suggested the t0rn trojan,
but that is know to atack DNS servers that this server is not running.

The other suggestion that was often repeated is to reload or some conbination
of remove the server from the network _now_ and boot from CDROM or remove the
drive to another Solarib server and run diagnostics while the compromised
drive is mounted in /a .

My solution thus far is to run the chkrootkit first then check the md5
fingerprints of everything in /usr/bin and /usr/sbin.  If it didn't check and
I didn't know what it was it got mv-ed and if it were a solaris binary,
copied it from the CD.  I also wrote all the md5's to a log file and cron a
job that creates a file nightly and diff the two for all files in /usr/bin and
/usr/sbin .  And just for fun a added three lines to my .profile that do a
last for root, bin and adm for my inspectin each and every time I login.  I
have disabled root logins except for the console adn verified that users bin
and adm have the NP no password set.  I have not seen any further suspicious
logins.  I plan to impliment the noshell script below.

For anyone interested the Solaris binaries compromised were
and the replacements were exactly the same size and date as the origional.

Tim Wort went on to say:
>As for the accounts: adm and all system accounts should not have passwords
>or shells configured, they should be locked with the shell replaced, I
>would replace the shell with a script called noshell (from Titan.).
>trap "" 1  2  3  4  5  6 7 8 9 10 12 15 19
>HOSTNAME=`uname -n`
>USER=\`id | awk '{print $1}' | awk -F= '{print $1}'\`
>/bin/cat /dev/null |mailx -s "Attempted access by ${USER} on host
>${HOSTNAME}" root@${HOSTNAME} &
>echo "Sorry, you are not allowed to logon."

Kevin Metzger
Systems Administrator
Progressive Medical, Inc.

800 777-3574 x2686 desk
614 378-6396 mobile
614 389-0740 fax

Recieved Fri, 21 Mar 2003, from Kevin Metzger:

-Date: Fri, 21 Mar 2003 14:52:26 -0500 (EST)
-From: Kevin Metzger <>
-To: sunmanagers mailing list <>
-Subject: hacked help
-I think I've been hacked and am goign to change the root and other passwords.
-How can I verify that my passwd command has not been compromised?
-Thanks and I will summarize.
-Kevin Metzger
-sunmanagers mailing list
sunmanagers mailing list
Received on Fri Apr 4 11:44:48 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:08 EST