[Techtalk] hacked on solaris

[Raven Alder]

Heya --

Quoth Shirrell (Sun, Aug 25, 2002 at 02:38:18PM -0400):
> Our server which is a SUN Sparc 5 running solaris 5.7 has been
> hacked.  The symptoms are that the perfmeters (performance
> meters) appear with a gravestone which has R.I.P on it and
> the following message appears:
> 
>     INIT command is resspawning too quickly 
>     use SV  /usr/bin/srload -D -q
> 
> The srload command seems to do nothing except complain the 
> -D is invalid. I have restored the /sbin /usr/sbin /usr/bin
> and /usr/lib directories from backups.  This seemed to work
> yesterday.  This morning the problem reappeared and restoring
> the same file systems has not cured the problem.  

	Do you patch regularly?  That's fairly important when doing
Solaris administration, and will provide a good number of security fixes.

	This may not actually be a hack at all.  (Not that security's
not important, but it may not be the culprit this time.)

http://www.netsys.com/sunmgr/1996-10/msg00061.html

is an example of someone with a similar problem on Solaris, which turned
out to be fixable by tinkering with the script that runs xdm on the
console.   

	Check with other folks that use your same GUI management tool
(or in the man page for it) and see if the gravestone is something that
may be supposed to be there, as a "whoa! dire system problem" warning or
some such.  You may be able to get more specific answers from Sun about
it, too.  Unfortunately I've not used your particular tool on Solaris,
so I can't offer experience there.

	If your system has been hacked, though, you're looking at a full
format and reinstall.  I know it's ugly, but it's really the only way to
be sure that you've got them out.  And then patch, first thing, so they
don't get right back in again.

	Good luck.

Cheers,
Raven  
 
"Don't get in my way when I'm running from your wife!"
  -- Louis, after accidentally socking RavenBlack in the jaw