[Techtalk] hacked on solaris

Shirrell shirrell at pstat.com
Sun Aug 25 14:38:18 EST 2002

Our server which is a SUN Sparc 5 running solaris 5.7 has been
hacked.  The symptoms are that the perfmeters (performance
meters) appear with a gravestone which has R.I.P on it and
the following message appears:

    INIT command is resspawning too quickly 
    use SV  /usr/bin/srload -D -q

The srload command seems to do nothing except complain the 
-D is invalid. I have restored the /sbin /usr/sbin /usr/bin
and /usr/lib directories from backups.  This seemed to work
yesterday.  This morning the problem reappeared and restoring
the same file systems has not cured the problem.  

We are a very small company and are connected to the world
a briefly as possible to pick up mail and search the web.
I do not understand the mechanisms for such hacking.

It is obvious that we must finally move to Solaris 8 and put
up a good firewall but in the meantime are there any suggestions
about how to fix the current problem as I cannot Rest In Peace
with that gravestone staring me in the face?

Shirrell at pstat.com

More information about the Techtalk mailing list