anyone heard of this?
lee at mailhost.sju.edu
Mon Jan 28 16:48:12 GMT 2002
We have a Solaris 2.6 server which has had the root password
mysteriously change twice in the last three weeks. The first time it
was blamed on the only admin who was logged in at the time although she
denied it. The second time we realized it is probably not a mistake.
Tripwire reported a change to /etc/shadow and no other files. I compared
md5 signatures against Sun's database looking for a rootkit and found
The server serves up nfs, samba, lpd (was not patched at the time of
the problem but is now), ntp, pop. My dearest hope is that someone found
an lpd exploit script, changed the password, then didn't know where to
go from there. My biggest fear is someone has shreaded our defenses and
is now having fun watching me squirm.
I would have liked to shut down for a real forensic search and OS
reinstall but that is not allowed at this point. Any pointers would be a
Stephen J. Lee Saint Joseph's University
Systems Administrator 5600 City Avenue
Networking & Telecommunications Philadelphia, PA 19131-1395
E-mail: lee at sju.edu Voice: (610) 660-1679
Fax: (610) 660-1536
More information about the unisog