SUMMARY: Root filesys full, du -sk /dev = 100mb

From: Mike Vierow, e-Agency <mvierow_at_e-agency.com>
Date: Tue Oct 09 2001 - 18:23:27 EDT
Problem was due to the snmpXdmid exploit which ended up generating 100mb of logs

http://www.cert.org/advisories/CA-2001-05.html

Thanks Davor for helping me solve this problem.

Question though, in the lpstart script which initializes the sniffer, an email
address was entered to forward the log files, possibly to the person responsible
for the attack. Does anyone know if this was common with all of the exploits,
and thus not worthy of following up, or unique, and a huge mistake by the
cracker.

Mike

> -----Original Message-----
> Sent: Tuesday, October 09, 2001 12:41 AM
> Subject: Re: Root filesys full, du -sk /dev = 100mb
>
>
> "Mike Vierow, e-Agency" wrote:
> >
> > uname -a: SunOS saturn 5.7 Generic_106541-04 sun4u sparc SUNW,Ultra-250
> >
> > Greetings, I am trying to determine what is eatting up so much
> space in my /dev
> > directory. Currently, /dev is using 99524k. Using ls -al does not
> show any files
> > larger than a few k. du -sk * (from /dev) doesn't show a file or directory
> > taking up more than 1mb. fsck comes up clean.
> >
> [snip...]
>
> > I've researched all the 3rd-party applications and found nothing.
> I've done the
> > same a hundred times through the answerbooks and through mail
> lists, but have
> > found nothing as to what may be causing this. Any help or direction would be
> > great. Thanks.
> >
> > Michael
> >
> > _______________________________________________
> > sunmanagers mailing list
> > sunmanagers@sunmanagers.org
> > http://www.sunmanagers.org/mailman/listinfo/sunmanagers
>
> Hi,
>
> /dev has become hiding ground in several attacks (e.g. - according to
> CERT
> CA-2001-11 sadmind/IIS Worm, CA-2001-05 Exploitation of snmpXdmid...),
> one possibility is that your machine has been broken into. As a first
> step
> I'd suggest that you check the validity of your binaries such as ls and
> ps, there is fingerprint database for all the binarise at www.sun.com,
> but
> I just cannot recall the exact location... usually those rootkits trojan
> (among other files) /bin/ls but not /usr/ucb/ls, /bin/ps but not
> /usr/ucb/ps,
> try /usr/ucb/ls -al /dev
> check for existance of /dev/pts/01 or /dev/cuc (of course you cannot see
> it
> with trojaned ls that is hiding the presence of the rootkit, but if it
> is there,
> you can cd into it - cd is shell internal - or instead of relying on ls,
> do e.g. echo /dev/pts/*); check process status using /usr/ucb/ps...
> if anything funny shows, check recovery procedures at www.cert.org
>
> hope that helps,
>
> davor
>
> --
> Davorin Bengez                                        UNIX SA & ITSE
> Email:                                       dbengez@interactive1.hr
>

_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Oct 9 17:21:48 2001

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:26 EST