anyone heard of this?

Stephen Lee lee at
Mon Jan 28 16:48:12 GMT 2002

	We have a Solaris 2.6 server which has had the root password
mysteriously change twice in the last three weeks.  The first time it
was blamed on the only admin who was logged in at the time although she
denied it. The second time we realized it is probably not a mistake.
Tripwire reported a change to /etc/shadow and no other files. I compared
md5 signatures against Sun's database looking for a rootkit and found
	The server serves up nfs, samba, lpd (was not patched at the time of
the problem but is now), ntp, pop. My dearest hope is that someone found
an lpd exploit script, changed the password, then didn't know where to
go from there. My biggest fear is someone has shreaded our defenses and
is now having fun watching me squirm.
	I would have liked to shut down for a real forensic search and OS
reinstall but that is not allowed at this point. Any pointers would be a
great help.

Stephen J. Lee			Saint Joseph's University
Systems Administrator		5600 City Avenue
Networking & Telecommunications	Philadelphia, PA 19131-1395
E-mail: lee at		Voice: (610) 660-1679
				Fax: (610) 660-1536

More information about the unisog mailing list