Login or Register to Ask a Question and Join Our Community


Solaris

nfsd won't start at boot up

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris nfsd won't start at boot up
# 15  
Old 03-13-2005
This is beginning to look like a break in. The email in the script 'optix@dr-dre.com' might be related to this website.

http://www.dr-dre.com/index.shtml

Then I just 'googled' this out

Sniffload

"Posted By Gustavo Colmenares On Sunday, September 01, 2002 at 5:31 PM

I have a Mailserver with Solaris 2.7 and recently it was hacked with a rootkit "sniffload." (sniffer)

This rootkit replaces versions of the filesystem files with troyan horses (ps, find, netstat for example) and to send information to an unknown address 128.0. something.

The files that it installs are lpq, lpset, lpstart in the directory usr/lib

Can somebody help me to return my system to the normality? What can I do to stop the attack?

Thank you for your help"
# 16  
Old 03-13-2005
And I googled this... From this page:

Quote:
SOLARIS ATTACK SIGNATURE
------------------------

If you are checking your Solaris system for signs of an attack,
you can look for the following (this is not a complete list).
Note that the file sizes, etc., may differ from system to system.

Files modified:

/usr/bin/du (Size should be 9380, replaced version is 12352)
/usr/bin/find (Size and date unchanged)
/usr/bin/login (Size and date unchanged)
/usr/bin/ls (Size and date unchanged)
/usr/bin/netstat (Size and date unchanged)
/usr/bin/passwd (Size and date unchanged)
/usr/bin/ps (Size should be 5540, replaced version is 12720)

Files or directories added:

/usr/lib/lpset Password sniffer
/usr/lib/lpstart Startup script for attack tool
/etc/lpd.config
/var/lp/lpacct/lpacct Hacker IRC-like tool
/dev/pts/01/bin Directory with various binaries
/dev/prom/sn.l Password sniffer log
/usr/bin/sshd2 Installed SSH with backdoor
# 17  
Old 03-13-2005
Quote:
Originally Posted by Perderabo
I suspect that you have been hacked. dr-dre.com? That won't be from a Sun package! It kinda looks like it's being run from rc2 directly. To see if that's the case...
ls -l /sbin/rc2
grep lp /sbin/rc2

I don't have it in my rc2. If it's not there, try:
grep lpstart /etc/init.d/*


Sure enough..

# grep lp /sbin/rc2
/usr/lib/lpstart
/usr/lib/lpstart
/usr/lib/lpstart
#

What do to now? Is there a way for me to find out which other binaries have been compromised?

Thanks for your help!
# 18  
Old 03-13-2005
Quote:
Originally Posted by dcshungu
Sure enough..

# grep lp /sbin/rc2
/usr/lib/lpstart
/usr/lib/lpstart
/usr/lib/lpstart
#

What do to now? Is there a way for me to find out which other binaries have been compromised?

Thanks for your help!
I see that you say "(we are behind an institution-wide firewall)". Do you institution-wide security people? Contact them. Now. Tonight. This attack has almost certainly spread past this one system. As for this system, I would completely re-install the operating system.
# 19  
Old 03-13-2005
Quote:
Originally Posted by Perderabo
I see that you say "(we are behind an institution-wide firewall)". Do you institution-wide security people? Contact them. Now. Tonight. This attack has almost certainly spread past this one system. As for this system, I would completely re-install the operating system.

There is no way around the fact that we must rebuild our systems. Just in time to upgrade to Solaris 10. Just left our IT people a message, but my sense is that the damage won't be extensive since our IT explicitly tells people that they do not support UNIX boxes, so that most people have avoided getting them or have been migrating to supported platforms. Since I could not count on support from our IT, I had contacted Sun's tech support (@ $300/hr), but they could not figure out what was going on, so I looked for the answer online, which led me to the Unix Forums.

Is Solaris 10 stable? Does any one have experience with it yet?

Thanks for everything!
# 20  
Old 03-13-2005
Thanks Peraderabo,

You picked that up nicely where I left off.

dcshungu, glad we were able to help. Now apart from a clean reinstall, don't forget to change the root paswords to all your machines after reinstall, and make sure user passwords are also changed. Also if you don't need to use them you should consider disabling telnet/rogin/rsh/rcp/rexec/ftp and using only the secure equivalents.

Quote:
Just left our IT people a message, but my sense is that the damage won't be extensive since our IT explicitly tells people that they do not support UNIX boxes, so that most people have avoided getting them or have been migrating to supported platforms.
There may well be no support for unix desktops, but there may be unix servers elswhere in the network as mailservers etc. but even if this is not the case your IT people should at least be concerned about the security breach, whether it was internal or external.


Quote:
Is Solaris 10 stable? Does any one have experience with it yet?
For Solaris 10 you should start a new thread to ask about it since you are moving on to a new topic.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Fedora

Um, my computer suddenly won't start up

Okay, I'm fairly green at Fedora, but it has worked like a gem until now. On startup I get a screen that says this: Booting 'Fedora (3.6.11-4.fc16.x86_64)' Loading Fedora (3.611-4.fc16.x86_64) Loading initial ramdisk .... _Fedora-16-x86_6: Unexpected inconsistency; run fsck manually. ... (6 Replies)
Discussion started by: Anchorsteamer
6 Replies

2. Red Hat

vftpd won't start..

Hi, I am using redhat enterprise 5.7 have installed vsftpd successfully but every time I try to start the service it comes up with FAILED. Here is the contents of the vsftpd.conf file: # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES # #... (3 Replies)
Discussion started by: titley100
3 Replies

3. UNIX for Dummies Questions & Answers

don't have nfsd mount point in /proc/fs/nfsd

hi guys I installed NFS server and everything started out fine but I don't have /proc/fs/nfsd entry and so I can't mount nfsd. Therefore I can't start my nfs service. Why don't I have /proc/fs/nfsd? How do I create that? Thanks (1 Reply)
Discussion started by: alirezan
1 Replies

4. AIX

won't mount /usr...won't boot fully

Hello: NOOB here. I attempted to use smit mkcd. Failed on first attempt, not enough space. 2nd attempt tried to place iso on /usr, not enough space there. Cleanup ran for about 5 minutes after aborting. Now AIX won't boot. LCD display on 7029-6E3 says: 0517 MOUNT /USR. Attempted to boot from CD... (11 Replies)
Discussion started by: bbird
11 Replies

5. UNIX for Dummies Questions & Answers

ToolTalk won't start

on my AIX 6.1 CDE's ToolTalk server won't start. It says: dtsession: Unable to exec /usr/dt/install/oldrules/dtrmrules.driver. A file or directory in the path name does not exist. How can I fix this? (0 Replies)
Discussion started by: rein
0 Replies

6. Solaris

production server won't start please help me!

if anyone can help me here I will be in debt eternaly. I'm in a spot here fearing for my job. I tried to install a new scsi array on our E5500. I powered it down correctly, removed the terminator, connected the array and powered it on. It was taking so long to come up I freaked out and powered... (3 Replies)
Discussion started by: NewSolarisAdmin
3 Replies

7. Red Hat

X Server won't start (Redhat 9) HELP

im running rh 9 on my vmware, i tryed changing the graphics card mode to resize the desktop, after restarting i get a message X Server cannot start. then it takes me to the consol screen to log on, "im new to using linux as of last night" It would be helpfull if anyone can help me resolve... (4 Replies)
Discussion started by: aoteg
4 Replies

8. SuSE

vsftpd won't start on SLES 10

I recently installed SLES 10 on an x86 64bit blade server. I then installed vsftpd from the suse cds through network services; however after configuring the vsftpd.conf file, the server fails to start: # /etc/init.d/vsftpd start Starting vsftpd startproc: exit status of parent of... (5 Replies)
Discussion started by: dave521
5 Replies

9. Solaris

cannot find boot device and won't boot off cdrom

I'm running solaris 2.5.1. My main development server is DEAD, i can't even boot off the cdrom, it powers up, acts like it is starting the boot process but then says cannot find boot device. I've done the search here on this site and saw the other posts, but at the ok prompt it won't even let me... (3 Replies)
Discussion started by: kymberm
3 Replies

10. UNIX for Dummies Questions & Answers

HP 10.20 Won start

After I log ino the machine, a window pops up indicating that I should check that the HOSTNAME is the same in these three files /etc//rc.configd/netconf /etc/hosts /var/adm/inetd.sec How do I change the hostname in these files? Thanks, Mike h (1 Reply)
Discussion started by: hutchin
1 Replies
Login or Register to Ask a Question