[Techtalk] Hacked on Solaris: update
Shirrell
shirrell at pstat.com
Mon Aug 26 16:31:25 EST 2002
Despite one hopeful reply that perhaps the problem was with
xdm there is no question that we were hacked. Thanks particularly
to Caity for the advice and book reference. We will be secure asap!
I have good backups and have restored most of the system area.
The files that the hacker hacked seemed to be all on /etc and
included:
passwd - a new user added
shadow - renamed oshadow
rc2 and rc3 - the symbolic links to /sbin/rc2 and rc3 were
replaced.
lpd.config - was added. It contains what looks like a
password and prevented the 2 client machines from printing.
the link of inetd.conf to ./inet/inetd.conf was replaced with
a new inetd.conf which omits all reference to rstatd which
is used by programs such as perfmeter -- which explains where
the tombstone came from.
We are still vulnerable to the hacker's return until I get all the
patches in and finish a complete restoration. There is nothing like
a nice long labor day weekend for such a project.
Thanks again for the help I got,
Shirrell at pstat.com
More information about the Techtalk
mailing list