[Sunhelp] Re: ufsd

Hal Flynn hmflynn at earthlink.net
Tue May 30 17:09:32 CDT 2000 

See my recent article on inetd:

http://www.securityfocus.com/focus/sun/articles/inetd1.html is the first
half.

http://www.securityfocus.com/focus/sun/articles/inetd2.html is the
second.

Additionally, another in the "Back to the Basics" series was released
Monday titled "Back to the Basics: Solaris Default Processes and init.d
Pt. I", and addresses a lot of the default processes you'll see running
on a freshly installed, Full Install + OEM of Solaris.

If any of you have any feedback on these, I'd be more than happy to
receive your feedback/comments/flames/scoldings/death threats/etc. 
Please mail me privately.

Hal
hmflynn at earthlink.net

Xavier Mertens wrote:
> 
> Hi Kevin,
> 
> Uh? No /usr/lib/fs/ufs/ufsd file on my system!?
> Have you more info on the hack you explained? I searched for "usfd" on
> classical security sites but found nothing!
> 
> X
> 
> --
> Xavier Mertens,         .  .   EuroNet Internet  "Contrary to popular belief,
> NOC Manager          .      *  a subsidiary of    Unix is userfriendly. It
> XM3-RIPE XM1-6BONE  .          France Telecom     just happens to be selective
>                                                   about who it makes friends
>                                                   with."
> 
> On Tue, 30 May 2000, Kevin Maguire wrote:
> 
> > Hi
> >
> > I would check that your system has not been hacked.  A recent hacking
> > incident here revolved around vulnerabilities in some inetd controlled
> > services, such as sadmind,cmsrd,....
> >
> > Our hacker dropped his own version of /usr/lib/fs/ufs/ufsd into place!
> >
> > It gave him a root shell prompt.
> >
> > Do a checksum on this file.
> > /usr/lib/fs/ufs/ufsd/usr/lib/fs/ufs/ufsd
> > Regards
> > Kevin
> >
> >                          \\\|///
> >                        \\  - -  //
> >                         (  @ @  )
> > +---------------------oOOo-(_)-oOOo-------------------------+
> > | Kevin Maguire                                Unix Support |
> > | kmaguire at eso.org            European Southern Observatory |
> > | Tel:+49 (0)89 3200 6387      Karl-Schwarzschild-Strasse 2 |
> > | Fax:+49 (0)89 3200 6380     D-85748 Garching bei Muenchen |
> > +-----------------------------Oooo--------------------------+
> >                        oooO   (   )
> >                       (   )    ) /
> >                        \ (    (_/
> >                         \_)
> >
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp

More information about the SunHELP mailing list