Summary: Solaris recovery - Urgent

From: sa_venkatesan@chennai.tcs.co.in
Date: Sat Sep 09 2000 - 13:09:04 CDT


Sorry I missed one more point:

     1. ls output is normal as it takes /usr/ucb/ls instead of /usr/bin/ls (to
list gid use -g option).

Hi Sysadmins,

Thanks a million for your timely and precise help.

Many thanks to:

Dave Harrington
Andres van Vugt
Mike Evans
Tim Pointing
Ray Saddler
Ric Anderson

The Solutions suggested are:

     1. Try ftping a chmod from remote system (This didn't work as the new file
is created with 644 perm. By the way, is there anyway to ftp with exact
permission like cp -r?).
                2. Taking ufsdump of existing system and boot with media
(Ofcourse this will work but require considerable work)
     3. take tar dump of /usr/bin on similar machine restore somewhere on local
with perm..provided tar is executable (ofcourse it is).,..
     4. Ray Saddler and Tim Pointing (true to his name) pointed out a quick
recovery. Exporting the /usr/bin from different machine and execute that version
of chmod.

It worked and to ensure not to damage existing permissions (like
setuid,gid,etc), I just added 'x' bit (chmod a+x /usr/bin).

Most of the respondents suspected a sysadmin mistake rather than a hacker
attack. (I do agree this as hacker would have done more!). I will interrogate
this on monday though nobody would accept responsibility.

Thanks again
venkat

Here is my Original Post:

sa_venkatesan@chennai.tcs.co.in on 09/09/2000 09:51:44 PM

To: sun-managers@sunmanagers.ececs.uc.edu
cc: (bcc: Saranathan Venkatesan/Operations/TCSCHENNAI)

Subject: Solaris recovery - Urgent

Hi Sysadmins,
         Today I started my day work as usual. But when I try to login to one of
our Solaris machines (Solaris 7 - intel), I got "connection to host is lost"
Fortunately, I had a root login on that mach and a bit of investigation
revealed that all my /usr/bin stuff are not executable. and add to my discomfort
/bin/chmod is also not executable. The more stunning thing is that if I do a ls
-l /usr/bin , I am getting only 8 column output. My group field is not there.
Even if the group is removed, it should list the gid. Have you ever faced a
problem like this? One more thing worth noting is that set-gid for /usr/bin is
enabled.

         I am attaching a bit of ls -l output of /usr/bin. (This mach. is still
up and running. I ftp'd the output to my pc)

drwxr-sr-x 3 root 7680 Sep 8 12:42 /usr/bin
total 13102
-rw-r--r-- 1 root 20448 Sep 8 12:29 acctcom
-rw-r--r-- 1 root 5536 Sep 8 12:29 adb
-rw-r--r-- 1 root 16624 Sep 8 12:29 addbadsec
-rw-r--r-- 1 root 10188 Sep 8 12:29 addbib
-rw-r--r-- 1 root 1007680 Sep 8 12:30 admintool
-rw-r--r-- 1 root 131 Sep 8 12:30 alias
-rw-r--r-- 1 root 16104 Sep 8 12:30 aliasadm
-rw-r--r-- 1 root 20064 Sep 8 12:30 apm
-rw-r--r-- 1 root 2747 Sep 8 12:30 appletviewer
-rw-r--r-- 1 root 26148 Sep 8 12:30 apropos
-rw-r--r-- 1 root 944 Sep 8 12:30 arch
-rw-r--r-- 1 root 6444 Sep 8 12:30 asa
-rw-r--r-- 1 root 33656 Sep 8 12:30 at
-rw-r--r-- 1 root 13520 Sep 8 12:30 atq
-rw-r--r-- 1 root 12104 Sep 8 12:30 atrm
-rw-r--r-- 1 root 196016 Sep 8 12:30 audioconvert
-rw-r--r-- 1 root 102848 Sep 8 12:30 audioplay
-rw-r--r-- 1 root 76408 Sep 8 12:30 awk
-rw-r--r-- 1 root 6244 Sep 8 12:30 banner

My questions are,

     1. Is it an attack by a hacker.?( I find nothing in /var/adm/messages.
The fact that setgid enabled on /usr/bin and the machine is connected to
internet justify this argument). or else what could be the cause?

                 2. What are the recovery options availble? (I don't want to
reboot the mach. until I found a conclusive soln)

I am willing to furnish more info on request.

Thanks a lot

venkat

S
U BEFORE POSTING please READ the FAQ located at
N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
. and the list POLICY statement located at
M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A To submit questions/summaries to this list send your email message to:
N sun-managers@sunmanagers.ececs.uc.edu
A To unsubscribe from this list please send an email message to:
G majordomo@sunmanagers.ececs.uc.edu
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:
I http://www.latech.edu/sunman.html
S
T

S
U BEFORE POSTING please READ the FAQ located at
N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
. and the list POLICY statement located at
M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A To submit questions/summaries to this list send your email message to:
N sun-managers@sunmanagers.ececs.uc.edu
A To unsubscribe from this list please send an email message to:
G majordomo@sunmanagers.ececs.uc.edu
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:
I http://www.latech.edu/sunman.html
S
T



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:16 CDT