> aha! yes - thanks, looks like someone was kind enough to stop by and pay a visit
> on April 7th.
> I have a whole bunch of system executables updated, ugh!
> I was able to find the offending process.
> Using "/usr/ucb/ps -aux" I found a process called in.lpda spinning.
> Is this a known trojan?
It's pretty common to hide a process with a name like lpd, so it's not much of
a signature on its own. You could search INCIDENTS or Bugtraq
(http://www.securityfocus.com/) for references to that specific process name.
I'm pretty sure I've seen that particular name before, but they all run
together after a while...
From the behavior you described, I'd guess your machine has a network attack
engine on it, possibly part of a Trin00/Stacheldraht or similar network, or a
lone stream attack engine. Bozos use these to overwhelm sites to take them
down, commonly in order to get operator status on an IRC channel by blackholing
the server the current operator is connected to (yes, they hack your machine in
order to play IRC king-of-the-hill, yes, it is that frivolous, bozos with
idleworms). Once the attack is successful, the bozo may be unable shut it off
because it is saturating the network connection on the attacking machine, so
the attack may continue unchecked until the operator notices the slugging
behavior and reboots.
If the in.lpda process is running after boot, it's likely a back door. You can
use lsof to see if it has bound some network ports. Likely a plain /bin/sh back
door, or possibly ssh. Another possibility is that it is a password sniffer.
See if you can find a file called tcp.log, or run strings against the in.lpda
executable to find pathnames. Also run /usr/proc/bin/pmap and
/usr/proc/bin/pfiles against it for additional clues. Look in /etc/inittab, and
all the cron scripts for the trigger that kicks off the back door on boot. Run
tail against all the init scripts as well, especially ones whose last change
time correlates with the intrusion.
You should run forensics on all the Solaris and Linux hosts on your network, at
the very least, to check whether multiple hosts have been compromised. You may
have a lot of work ahead of you, especially if there was a password sniffer on
the box. If you find one, you should also alert any offsite administrators of
hosts your local users like to telnet/rlogin/ftp into, since their credentials
may have been compromised. Don't rely strictly on what you might find in the
sniffer log; bozos clean out the log periodically.
When you reinstall, keep the machine off the network until it is fully patched
and all unnecessary services are shut down, and put tcp wrappers on the
machine. It is quite common for the bozo to return aggressively, and your
machine is vulnerable until it is patched.
> I needed an excuse to upgrade to Solaris 8 anyway, looks like I'll be reloading
> this particular server, and clamping down a lot harder on my internet facing
> I inadvertently left the rpc services open, this won't happen again. I hate to
> ask, but are these solaris rpc vulnerabilities documented anywhere, or is this a
> comp.unix.security question?
The best place I know to look is in the vulnerability database on
securityfocus.com. By no means restrict your search to RPC vulnerabilities;
these are just the most common on Solaris. In particular they are documented on
the SANS top ten list of threats (http://www.sans.org/topten.htm), and there is
a CERT advisory about them as well.
There are a number of tools for hardening Solaris. I think Casper Dik wrote
one; I think YASSP is another. You can find these in the tools section on
Quote:> Thanks again!
Jefferson Ogata : Internetworker, Antibozo