SUMMARY recovering from hack

From: Deborah Crocker (crock@bama.ua.edu)
Date: Tue Aug 17 1999 - 15:07:48 CDT


Thanks to many for help. The result was that /usr/bin/login
and /usr/bin/ps are binary compatible between the ultra machines
and the sparc 5. Checked m5d checksums to confirm this.

I do appreciate advice which came back..."you should have had
backup" but as a User Service Consultant I am rather more like
a medic than a general. I get called in to clean up the mess.

The machines were not rebuilt from scratch. The hacker was a "script
kiddie" judging by how much trash was left around. His (her?) changes
were pretty obvious. They ran a sniffer and left a log of their own
connection activity. And since they broke /usr/bin/login on several
machines and took rpc.cmsd out of inetd.conf they weren't able to get
back to see what they had done. I was able to see where they got their
hacked versions of login and ps and where they launched from. Those
machine owners have been notified. Since the machines were on a pretty
isolated piece of network they didn't sniff much.

Rest assured that the affected machines now have tcpwrappers and
rpcbind.

Deb Crocker
User Service
Seebeck Computer Center
University of Alabama

------------------------------------------------
The original question was:
> Our campus was hacked on the weekend on a couple of machines that had the
> rpc.cmsd hole open. The attacker replaced binaries for /usr/bin/login
> and /usr/bin/ps.
>
> On the ultra machines that were hit I was able to restore from an
> untouched machine. The last machine to fix up is a Sparc 5 running
> Solaris 2.6 (sun4m). I'm assuming I can't just grab the Ultra binaries
> (sun4u) in this case. Or that perhaps at least ps is not the same. I
> have no other 2.6 machine of like type at my disposal.
>
> What's the best way to restore? I do have the CD



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:24 CDT