SUMMARY: Strange problem: What is ldlibns.so??? .. and i am hacked ...

From: Detlev Habicht (habicht@ims.uni-hannover.de)
Date: Sun Sep 03 2000 - 14:18:17 CDT

Hi all,

this was my problem:

  I am running a server with Solaris 5.7. I have some network related
  problems. I can't login via network, i can't login on the console, but
  via GUI and commands like netstats fails.

  netstat looks for the file ldlibns.so an can't open it.

  In /usr/lib i found this situation:

  -r-xr-sr-x 1 root root 50712 Sep 2 05:31 ldlibnet.so
  -rw-rw-rw- 1 root sys 0 Jul 16 1997 ldlibns.so

  On other hosts in other networks i don't find this files.

  What is ldlibns.so and where can i find it????? (And why i don't find
  it in my other systems??? :-} )

Well, i am hacked.

For the moment a little report of this hack:

- Some Files are changed: netstat, du login, ls, ps, in.telnetd, and some
  other in.*-Files.
  
- /usr/lib/autofs/automountd is missing.

- in.fingerd has filesize 0

- You will find dirs with name ...
  /usr/lib/...
  /var/spool/...
  /xfn/...

- In one ...-dir will find a hint and some orig-Files:

  # more info
  -r-xr-xr-x 34 bin bin 5536 Oct 6 1998 /bin/ps
  -r-xr-sr-x 1 bin sys 50712 Oct 6 1998 /bin/netstat
  -r-sr-xr-x 1 root bin 29292 Oct 6 1998 /bin/login
  -r-xr-xr-x 1 bin bin 27344 Oct 6 1998 /usr/sbin/in.telnetd
  -r-xr-xr-x 1 bin bin 12828 Oct 6 1998 /usr/sbin/in.rshd
  -r-xr-xr-x 1 bin bin 12344 Oct 6 1998 /usr/sbin/in.rlogind

This for the moment.

Thanx to Casper Dik and here the hints from Casper:

Looks like your system has been hacked; a root kit of sorts has been installed
and it is probably trying to hide connections w/ netstat.

You can use the Solaris Fingerprint Database (under sunsolve.sun.com)
to find bad executables.

Perhaps someone has info about this hack and a plan to clean the hosts ...

Detlev 

-- 
 Detlev  | Institut fuer Mikroelektronische Systeme, Uni Hannover
 Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de
 --------+-------- Handy    +49 172 5415752  ---------------------------

S
U   BEFORE POSTING please READ the FAQ located at
N       ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
.   and the list POLICY statement located at
M       ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A   To submit questions/summaries to this list send your email message to:
N       sun-managers@ececs.uc.edu
A   To unsubscribe from this list please send an email message to:
G       majordomo@sunmanagers.ececs.uc.edu
E   and in the BODY type:
R       unsubscribe sun-managers
S   Or
.       unsubscribe sun-managers original@subscription.address
L   To view an archive of this list please visit:
I       http://www.latech.edu/sunman.html
S
T

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:16 CDT