[geeks] hrm
Chris Byrne
geeks at sunhelp.org
Sun Sep 30 18:02:32 CDT 2001
That's also one of the signatures of a rootkit for solaris I saw about a
year ago.
I cant recall the name of it at the moment but the guy who got in was good.
He ended up getting into one of our proramming contractors through a
vulnerability in the SSHD they were using and setting up a keystroke logger.
Then he hit our systems. We were able to isolate him to three systems
unfortunately one of them was our firewall management server, which meant we
had to rebuild the ENTIRE damned security management architecture from known
good read only media (you dont screw around with something like this), it
took almost six weeks to get everything fixed.
Chris Byrne
----- Original Message -----
From: "Bill Bradford" <mrbill at mrbill.net>
To: <geeks at sunhelp.org>
Sent: Sunday, September 30, 2001 21:45
Subject: Re: [geeks] hrm
> On Sun, Sep 30, 2001 at 09:47:09PM +0100, Mike Meredith wrote:
> > On Sunday 30 September 2001 21:17, you wrote:
> > > How to delete this file? I've tried all the normal tricks;
> > > quoting, escaping, etc..
> > > -rw-r--r-- 1 root admin 0 Sep 24 01:15 ?????
> > What about 'rm -i *' ?
>
> That did it.
>
> What was even stranger was this:
>
> [localhost:/] root# ls -al
> total 1368329
> < - snip junk ->
> -rw-r--r-- 1 root admin 0 Sep 24 01:15 ?????
> [localhost:/] root# ls '?????'
> ls: ?????: No such file or directory
>
> Maybe its just a MacOS X-weird-isim.
>
> Bill
>
> --
> Bill Bradford
> mrbill at mrbill.net
> Austin, TX
> _______________________________________________
> GEEKS: http://www.sunhelp.org/mailman/listinfo/geeks
More information about the geeks
mailing list