[SPARCbook] patch your sparcbooks!
Jonathan Kalbfeld
sparcbook at sunhelp.org
Tue May 8 14:15:54 CDT 2001
My Sparcbook running Solaris 2.6 was rooted the other day by the most
recent internet worm.
Specifically, look at your /.rhosts file and your /etc/rc2.d/S71rpc file
and remove the first line from it. You might have a bunch of crap in
/dev/cub and /dev/cuc directories. This is evidence of the worm.
/dev/cuc contains the actual scripts and /dev/cub contains the hosts being
attacked from your machine.
Also, you might have a process running with "inetd -s /tmp/.f"
This launches a root shell on port 600.
I simply did a mkdir /.rhosts and removed the first line of
/etc/rc2.d/S71rpc and rebooted the machine while it was airgapped.
This should solve the problem.
Then, edit the /etc/inetd.conf directory and disable sadmind (who the hell
uses this anyway? :) and restart inetd.
Also, check any other solaris machines running <8 and look for a root
shell on port 600 and + + in your rhosts. Sometimes those two are present
but the actual worm is not present.
Best of luck.
jonathan
--
Jonathan Kalbfeld M268@>6]U('!L87D@=&AI<R!M ThoughtWave Technologies LLC
(v) +1 415 386 UNIX 97-S86=E(&)A8VMW87)D<RP@: UNIX, Networking, Programming
(f) +1 415 358 4519 70@;65A;G,@);F]T:&EN9RX* http://www.thoughtwave.net/
More information about the SPARCBook
mailing list