[Summary] How to resolve virus/trojan horse problem

From: John Beaulieu <john_at_john-doris.org>
Date: Fri Nov 30 2001 - 10:39:16 EST
[Original questions is at end of message]
Most common answers were:

1.) When you run into something like this what is the best way to
resolve the intrusion?

Overwhelmingly the response was to re-install the OS. Once you are
rooted you can never be sure what has been left open and the only way to
be sure is to re-install from scratch. I was also told that after an
initial install it is a good time to take a baseline recording of file
checksums.

2.) Do you know of any good sites that offer a good up-to-date list of
known hacks and ways to fix them.

Most common sites recommended:
www.securityfocus.com
www.rootshell.com
http://www.sunhelp.org/info-security.php
http://www.itworld.com/Comp/2377/security-faq/
http://www.cert.org/
http://www.sans.org/
http://www.incidents.org/
http://www.dshield.org/

3.) Is there the equivalent of Norton Antivirus or the such for Solaris.

The answer was no with a few responses of "There are no viruses on
unix". :-)

4.) If I want to check binary checksums against a known checksums where
can I find the list of checksums and does anyone know of a utility that
might already do this?

Tripwire
http://sunsolve.sun.com/private-cgi/fileFingerprints.pl

5.) Do you know of a site that has information on this particular
intrusion?

http://www.securityfocus.com/bid/2417

Thanks to all those that responded. I appreciate the information and
help.

[Original message follows:]
I have a Solaris 7 installation which I realized was compromised
(rooted) the other day. I have not nailed down the particulars but I
noticed that modstat is running several times and my 'find' and 'ls'
commands refuse to list or find it. I know I read somewhere about this
intrusion. I have the log files that it was creating. I have also
subsequently installed all Solaris patches. I believe this was a problem
with SNMP or something related to that (I may be wrong).

Anyway, I am looking for assistance with the following:

1.) When you run into something like this what is the best way to
resolve the intrusion?
2.) Do you know of any good sites that offer a good up-to-date list of
known hacks and ways to fix them.
3.) Is there the equivalent of Norton Antivirus or the such for Solaris.
4.) If I want to check binary checksums against a known checksums where
can I find the list of checksums and does anyone know of a utility that
might already do this?
5.) Do you know of a site that has information on this particular
intrusion?

Any help is appreciated.
--
John 
Received on Fri Nov 30 15:39:16 2001

This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:32:36 EDT