[SunHELP] Tracking Hacker ?
David Eisner
sunhelp at sunhelp.org
Tue Apr 24 23:24:38 CDT 2001
On Tue, 24 Apr 2001, Jeff Feller wrote:
> I'll keep lookin' around perhaps looking for all / any files modified on
> "Apr 24" at 18:52 or so.. Otherwise, from the looks of it, the ONLY file I
> see that were touched so far were /etc/motd, /var/adm/messages and the
> wtmp or utmp files I assume since there is nothing in "last" ...
There are many ways the intruder could have broken in. Assuming you're
not keeping up to date on patches, take a look at www.cert.org,
www.securityfocus.org, www.sans.org, etc. to get an idea of what
kind of exploits may have been used.
There's a pretty good chance your system utilities (ls, ps, w, etc. etc.)
have been replaced with hacked versions that will hide evidence
of the hacker's work and continued presence. You need to boot
from the Solaris CD before examining your system.
One thing you can do is go here
http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl
to check the MD5 checksums of your system utilities.
Ultimately, you can't trust the system (and possibly others
on your network) anymore. Get any critical *data* you need off
the disk, reformat it, and install Solaris again. This time, lock
it down before you put it on the network. Download the
latest recommended patch cluster from Sun and put it on a CD so you
can patch the system before you expose it. And yes, a firewall is
a very good idea.
By the way, be careful about saving your .cshrc, etc. They may have
been trojaned, too.
-David
-----------------------------------------------------
David Eisner | E-mail: cradle at eng.umd.edu |
CALCE EPSC | Phone: 301-405-5341 |
University of Maryland | Fax: 301-314-9269 |
-----------------------------------------------------
More information about the SunHELP
mailing list