(Fwd) Re: weird problem

--- Forwarded mail from "Alaric S. Haag" <address@hidden>

Date: Mon, 2 Apr 2001 20:49:29 -0500
From: "Alaric S. Haag" <address@hidden>
To: Mike Schmidt <address@hidden>
cc: Jeff Masters <address@hidden>,
   Robert Mullenax <address@hidden>, 10 <address@hidden>
Subject: Re: weird problem

Folks,

The original problem Robert described is almost absolutely _assured_
to be due to a rootkit crack using the snmpXdmid exploit that just
surfaced in Solaris 2.6, 2.7 and 2.8. The result of which is that ps,
ls, netstat, find, etc are all replaced with trojaned copies (Robert,
run "strings `which ps`" and then "strings `which ls`" and note the
nasty similarities...)

The good news is that the original binaries, although they shouldn't
be trusted, are "probably" tucked away in a new directory, rooted in
/dev/pts/01 (there should be no such directory; rather there should be
/dev/pts/0 thru /dev/pts/9 (as single digits) and then /dev/pts/10,
etc).

If your machine is compromised, and you want to "pull the plug", the
likely solution is to remove the two new lines appended to
/etc/rc2 and /etc/rc3 that start "lpstat" (a sniffer) and "sshd2"
(a trojaned ssh daemon) and reboot.

The rootkit does a lot more, so read the CERT advisory CA-2001-05
carefully to get the details. Unfortunately, the CERT alert came out
about a day too late... :(

--
Kind regards,
Ric

[ Alaric S. Haag, Computer Manager    mailto:address@hidden ]
[ Coastal Studies Institute - Earth Scan Lab    Voice: (225) 388-6438 ]
[ Louisiana State University                      FAX: (225) 388-2520 ]
[ Baton Rouge, LA 70803                        http://www.esl.lsu.edu ]



---End of forwarded mail from "Alaric S. Haag" <address@hidden>