First, thanks to the 42 people who responded. By far the most frequent response was to check md56 fingerprints at http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl . I downloaded the md5 from http://sunsolve.sun.com/md5/md5.tar.Z . One suggestion for http://www.sun.com/blueprints/0501/Fingerprint.pdf . Another suggestion was to get and run chkrootkit from http://www.chkrootkit.org which I did first. That suggested the t0rn trojan, but that is know to atack DNS servers that this server is not running. The other suggestion that was often repeated is to reload or some conbination of remove the server from the network _now_ and boot from CDROM or remove the drive to another Solarib server and run diagnostics while the compromised drive is mounted in /a . My solution thus far is to run the chkrootkit first then check the md5 fingerprints of everything in /usr/bin and /usr/sbin. If it didn't check and I didn't know what it was it got mv-ed and if it were a solaris binary, copied it from the CD. I also wrote all the md5's to a log file and cron a job that creates a file nightly and diff the two for all files in /usr/bin and /usr/sbin . And just for fun a added three lines to my .profile that do a last for root, bin and adm for my inspectin each and every time I login. I have disabled root logins except for the console adn verified that users bin and adm have the NP no password set. I have not seen any further suspicious logins. I plan to impliment the noshell script below. For anyone interested the Solaris binaries compromised were /usr/bin/du /usr/bin/ls /usr/bin/passwd /usr/bin/find /usr/bin/netstat /usr/bin/su and the replacements were exactly the same size and date as the origional. Tim Wort went on to say: > >As for the accounts: adm and all system accounts should not have passwords >or shells configured, they should be locked with the shell replaced, I >would replace the shell with a script called noshell (from Titan.). > >noshell: > >trap "" 1 2 3 4 5 6 7 8 9 10 12 15 19 > >HOSTNAME=`uname -n` >USER=\`id | awk '{print $1}' | awk -F= '{print $1}'\` > >/bin/cat /dev/null |mailx -s "Attempted access by ${USER} on host >${HOSTNAME}" root@${HOSTNAME} & > >echo "Sorry, you are not allowed to logon." > >exit > -- Kevin Metzger Systems Administrator Progressive Medical, Inc. 800 777-3574 x2686 desk 614 378-6396 mobile 614 389-0740 fax Recieved Fri, 21 Mar 2003, from Kevin Metzger: -Date: Fri, 21 Mar 2003 14:52:26 -0500 (EST) -From: Kevin Metzger <kevin@pmimail.com> -To: sunmanagers mailing list <sunmanagers@sunmanagers.org> -Subject: hacked help - -I think I've been hacked and am goign to change the root and other passwords. -How can I verify that my passwd command has not been compromised? - -Thanks and I will summarize. - --- -Kevin Metzger -_______________________________________________ -sunmanagers mailing list -sunmanagers@sunmanagers.org -http://www.sunmanagers.org/mailman/listinfo/sunmanagers - _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Apr 4 11:44:48 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:08 EST