[Techtalk] Hacked on Solaris: update

Shirrell shirrell at pstat.com
Mon Aug 26 16:31:25 EST 2002

Despite one hopeful reply that perhaps the problem was with
xdm there is no question that we were hacked.  Thanks particularly
to Caity for the advice and book reference.  We will be secure asap!

I have good backups and have restored most of the system area.
The files that the hacker hacked seemed to be all on /etc and

    passwd  - a new user added
    shadow  - renamed oshadow
    rc2 and rc3 - the symbolic links to /sbin/rc2 and rc3 were 

    lpd.config - was added.  It contains what looks like a 
       password and prevented the 2 client machines from printing.

    the link of inetd.conf to ./inet/inetd.conf was replaced with
       a new inetd.conf which omits all reference to rstatd which
       is used by programs such as perfmeter -- which explains where
       the tombstone came from.

We are still vulnerable to the hacker's return until I get all the
patches in and finish a complete restoration.  There is nothing like
a nice long labor day weekend for such a project.

Thanks again for the help I got,
Shirrell at pstat.com 

More information about the Techtalk mailing list