it was a hack
Bill Stevens (wstevens@siu.edu)
Fri, 20 Jul 2001 15:37:53 -0500
Dan Borchardt got it just right, too:
"Hey Bill,
We were hacked a few months ago via an snmpXdmid vulnerability. I'm not sure
but I don't think Sun has issued a patch for this yet. Anyway look for files
in /dev/pts/01 the advisory is at
http://www.cert.org/advisories/CA-2001-05.html
Later,
Dan"
Yup - here it is, with a clean "ls"
andy:wstevens 4>cd /dev/pts/01
andy:wstevens 5>ls -l
total 90
-rw-r--r-- 1 root root 461 Apr 23 13:55 README
drwxrwxrwx 2 root root 512 Apr 23 13:55 bin
-rwxr--r-- 1 root root 5145 Apr 23 13:55 cleaner
-rwxr-xr-x 1 root root 8672 Apr 23 13:55 crypt
-rwxr-xr-x 1 root root 4651 Apr 23 13:55 findkit
-rwxr-xr-x 1 root root 4469 Apr 23 13:55 patcher
-rwxr-xr-x 1 root root 8332 Apr 23 13:55 pg
-rw-rw-rw- 1 root root 504 Apr 23 13:55 uconf.inv
-rwxr-xr-x 1 root root 8024 Apr 23 13:55 utime
andy:wstevens 2>more README
This is: SunOS Rootkit v2.5 (C) 1997-2001 Tragedy/Dor
If you find this file, most likely your host has been hacked by a user
of this rootkit. If you want information about this tool, removal instructions
or such, please email bert.smith@mbox.bol.bg
The author takes NO RESPONSIBILITY for anyone who misuses this tool.
Please quote the following version number in any emails.. if the rootkit
wasnt d
the version will be in a file named "iver"
17645914
-----------------------------------
I'm guessing it's probably not a good idea to write to bert.smith
The CERT advisory was correct. As far as I can tell, sunsolve hasn't made a
specific patch yet, so I've got some work to do.
Thanks, folks.
Bill
My favorite quote this week from Ambrose Bierce: Politics, Noun: the strife
of interests masquerading as a contest of principles.
William C. Stevens, Ph.D. Nuclear Magnetic Resonance Facility
Director Southern Illinois University
Carbondale, IL 62901-4405
618-453-6498 voice
618-453-6408 fax wstevens@siu.edu
http://opie.nmr.siu.edu