[SunHELP] Tracking Hacker ?

[Kurt Huhn]

> Hello Sun Admin's,
>
> I logged into my SPARCstation 5 tonight (which runs Solaris 8) and a
> message of "you been hacked" was on my screen.  Someone some how gained
> ANY IDEA's that can help me are **GREATLY** appreciated.  After this had
> happened, I also checked my inetd.conf and probably should have shut down
> basically ALL ports before hand because the only access anyone needs to
> this is RARELY ftp and mostly ssh.  Thank you!

I'm going to assume that you have a firewall of some kind, and haven't just
put a naked box on the internet - the technological equivalent of wearing
nothing but socks to a swordfight...

At any rate, check your firewall logs for accesses to that computer.
Failing that, you *might* be able to check the access logs of your router -
but some routers don't log.

You can also check /etc/passwd - see if there's something in there that
looks odd - a user that didn't exist before...

My suspicion is that someone managed to brute force the box by guessing that
your root user was "root" and just pointing a brute-forcer (like brutus) at
your box via FTP.  From that point, it's easy to open an SSH session with
the newly found root password and cause all types of ruckus.  They may have
poked around a little, found out that the Linux root-kit that they tried to
install didn't work, and decided to clean up and leave you a nice message -
just for shits and giggles...

Kurt