Before I begin, this was a duplicate question to "Hacked Help" that got held for a questinable subject line. The summary is also a copy of the same, but I will copy it here for completeness. First, thanks to the 56 people who responded. By far the most frequent response was to check md56 fingerprints at http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl . I downloaded the md5 from http://sunsolve.sun.com/md5/md5.tar.Z . One suggestion for http://www.sun.com/blueprints/0501/Fingerprint.pdf . Another suggestion was to get and run chkrootkit from http://www.chkrootkit.org which I did first. That suggested the t0rn trojan, but that is know to atack DNS servers that this server is not running. The other suggestion that was often repeated is to reload or some conbination of remove the server from the network _now_ and boot from CDROM or remove the drive to another Solarib server and run diagnostics while the compromised drive is mounted in /a . My solution thus far is to run the chkrootkit first then check the md5 fingerprints of everything in /usr/bin and /usr/sbin. If it didn't check and I didn't know what it was it got mv-ed and if it were a solaris binary, copied it from the CD. I also wrote all the md5's to a log file and cron a job that creates a file nightly and diff the two for all files in /usr/bin and /usr/sbin . And just for fun a added three lines to my .profile that do a last for root, bin and adm for my inspectin each and every time I login. I have disabled root logins except for the console adn verified that users bin and adm have the NP no password set. I have not seen any further suspicious logins. I plan to impliment the noshell script below. For anyone interested the Solaris binaries compromised were /usr/bin/du /usr/bin/ls /usr/bin/passwd /usr/bin/find /usr/bin/netstat /usr/bin/su and the replacements were exactly the same size and date as the origional. Tim Wort went on to say: > >As for the accounts: adm and all system accounts should not have passwords >or shells configured, they should be locked with the shell replaced, I >would replace the shell with a script called noshell (from Titan.). > >noshell: > >trap "" 1 2 3 4 5 6 7 8 9 10 12 15 19 > >HOSTNAME=`uname -n` >USER=\`id | awk '{print $1}' | awk -F= '{print $1}'\` > >/bin/cat /dev/null |mailx -s "Attempted access by ${USER} on host >${HOSTNAME}" root@${HOSTNAME} & > >echo "Sorry, you are not allowed to logon." > >exit > -- Kevin Metzger Systems Administrator Progressive Medical, Inc. 800 777-3574 x2686 desk 614 378-6396 mobile 614 389-0740 fax Recieved Fri, 21 Mar 2003, from Kevin Metzger: -Date: Fri, 21 Mar 2003 15:43:21 -0500 (EST) -From: Kevin Metzger <kevin@pmimail.com> -To: sunmanagers mailing list <sunmanagers@sunmanagers.org> -Subject: verify commands: /usr/bin/passwd, etc - -I think I've been hit by invaders and want to verify commonly molested -commands before running them. systems are Solaris 7 and 8 on sparc and x86. - -The evidence is the output from last: -dwayne console Fri Mar 21 14:15 - 14:19 (00:04) -root pts/17 host130-220.pool Fri Mar 21 13:56 - 14:01 (00:04) -adm pts/16 host130-220.pool Fri Mar 21 13:56 - 13:57 (00:00) - -Dwayne is my tech support, but how is someone getting in as adm directly? One -other machine here shows root, adm and bin logging in. I'm seeing this on -three seperate machines. - -thanks in advance and I summarize. - --- -Kevin Metzger -Systems Administrator -Progressive Medical, Inc. - -800 777-3574 x2686 desk -614 378-6396 mobile -614 389-0740 fax -_______________________________________________ -sunmanagers mailing list -sunmanagers@sunmanagers.org -http://www.sunmanagers.org/mailman/listinfo/sunmanagers - _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Apr 4 08:58:55 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:08 EST