Home page logo
/

Security Incidents mailing list archives

Re: Anybody recognize this Solaris compromise?
From: "Matthew T. Fata" <matt () credibleinstitution org>
Date: Fri, 13 Apr 2007 17:42:32 -0400

David,

It sounds like you have network monitoring on the host - that's good, because if you were compromised by the telnetd vulnerability Jamie linked to, then it may have spread to other hosts on your network - unless of course you meant this is your only Solaris box when you say that you aren't heavy users. Even so, the solaris telnetd vulnerability might not be the only thing it knows how to exploit.

Jamie Riden wrote:
Hi David,

Were you/they running telnetd as a service in February? See
http://www.kb.cert.org/vuls/id/881872

On 13/04/07, David Gillett <gillettdavid () fhda edu> wrote:
  I've got a Solaris machine on my network that has acquired
an unauthorized behaviour of unknown origin.  Every night,
from 1:10:30am until 6:00:30am, it tries to establish outbound
telnet connections to addresses all over the Internet.
<snip>
  The machine is running the SIRSI library application; it's possible
that the vulnerability is associated with that and not generically with
Solaris.  We're not heavy Solaris users here, and so IT doesn't support
that machine -- I'm trying to help our SIRSI admin pin down what's going
on so they can determine how to identify and remove the culprit.

Reformat and re-install? It's the only way to be sure you've cleaned
it properly. Probably cheaper than a thorough forensic examination as
well.

cheers,
Jamie


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!"- SPI Dynamics White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CiNE
--------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault