Security Incidents: Re: .baa0xdd1r??

["Bill Burge" <bill () burge com>]

Anything interesting in the output of "strings /usr/sbin/in.telnetd" or "strings /bin/login"

Last time I looked, Solaris 2.5.1's "ls" wasn't compiled with GNU file utils (but it WAS on the system I looked at this 
morning!  ;-)

Bill Burge



*********** REPLY SEPARATOR  ***********

On 7/30/2001 at 11:48 AM SecLists wrote:

> We have a customer's system that we believe was hacked...
>
> in /var/tmp there is a binary file:
> .baa0xdd1r
>
> it appears to have replaced /usr/sbin/in.telnetd
>
> /bin/login also appears suspect...
>
> this is:
> bash-2.01# uname -a
> SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1
>
>
> does this sound like a familiar rootkit? or is something totally new?
>
> we are still gathering info but I wanted to post this soon in the chance
> that someone has dealt with this before.. don't want to have to reinvent
> the wheel...
>
> thanks,
>
> shawn
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com