[Original questions is at end of message] Most common answers were: 1.) When you run into something like this what is the best way to resolve the intrusion? Overwhelmingly the response was to re-install the OS. Once you are rooted you can never be sure what has been left open and the only way to be sure is to re-install from scratch. I was also told that after an initial install it is a good time to take a baseline recording of file checksums. 2.) Do you know of any good sites that offer a good up-to-date list of known hacks and ways to fix them. Most common sites recommended: www.securityfocus.com www.rootshell.com http://www.sunhelp.org/info-security.php http://www.itworld.com/Comp/2377/security-faq/ http://www.cert.org/ http://www.sans.org/ http://www.incidents.org/ http://www.dshield.org/ 3.) Is there the equivalent of Norton Antivirus or the such for Solaris. The answer was no with a few responses of "There are no viruses on unix". :-) 4.) If I want to check binary checksums against a known checksums where can I find the list of checksums and does anyone know of a utility that might already do this? Tripwire http://sunsolve.sun.com/private-cgi/fileFingerprints.pl 5.) Do you know of a site that has information on this particular intrusion? http://www.securityfocus.com/bid/2417 Thanks to all those that responded. I appreciate the information and help. [Original message follows:] I have a Solaris 7 installation which I realized was compromised (rooted) the other day. I have not nailed down the particulars but I noticed that modstat is running several times and my 'find' and 'ls' commands refuse to list or find it. I know I read somewhere about this intrusion. I have the log files that it was creating. I have also subsequently installed all Solaris patches. I believe this was a problem with SNMP or something related to that (I may be wrong). Anyway, I am looking for assistance with the following: 1.) When you run into something like this what is the best way to resolve the intrusion? 2.) Do you know of any good sites that offer a good up-to-date list of known hacks and ways to fix them. 3.) Is there the equivalent of Norton Antivirus or the such for Solaris. 4.) If I want to check binary checksums against a known checksums where can I find the list of checksums and does anyone know of a utility that might already do this? 5.) Do you know of a site that has information on this particular intrusion? Any help is appreciated. -- JohnReceived on Fri Nov 30 15:39:16 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:32:36 EDT