[unisog] anyone heard of this?

Ken Connelly Ken.Connelly at uni.edu
Mon Jan 28 18:58:59 GMT 2002

Stephen Lee wrote:

> Hi,
>         We have a Solaris 2.6 server which has had the root password
> mysteriously change twice in the last three weeks.  The first time it
> was blamed on the only admin who was logged in at the time although she
> denied it. The second time we realized it is probably not a mistake.
> Tripwire reported a change to /etc/shadow and no other files. I compared
> md5 signatures against Sun's database looking for a rootkit and found
> none.
>         The server serves up nfs, samba, lpd (was not patched at the time of
> the problem but is now), ntp, pop. My dearest hope is that someone found
> an lpd exploit script, changed the password, then didn't know where to
> go from there. My biggest fear is someone has shreaded our defenses and
> is now having fun watching me squirm.
>         I would have liked to shut down for a real forensic search and OS
> reinstall but that is not allowed at this point. Any pointers would be a
> great help.

Shutting it down is not allowed?!?!?  If the box is so important that it can't
be shutdown, then it's even that more crucial that it be removed from the net
and examined.  If the powers that be won't let that happen, it's time to give
them their two-week notice...

> Regards,
> Steve
> --
> Stephen J. Lee                  Saint Joseph's University
> Systems Administrator           5600 City Avenue
> Networking & Telecommunications Philadelphia, PA 19131-1395
> E-mail: lee at sju.edu             Voice: (610) 660-1679
>                                 Fax: (610) 660-1536

- Ken
Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services
University of Northern Iowa                     Cedar Falls, IA  50614-0121
email: Ken.Connelly at uni.edu    phone: (319) 273-5850    fax: (319) 273-7373

More information about the unisog mailing list