[unisog] anyone heard of this?

Gary Flynn flynngn at jmu.edu
Mon Jan 28 19:41:17 GMT 2002


Stephen Lee wrote:
> 
> My dearest hope is that someone found
> an lpd exploit script, changed the password, then didn't know where to
> go from there.

Not likely.

> I would have liked to shut down for a real forensic search and OS
> reinstall but that is not allowed at this point. Any pointers would be a
> great help.

1. I think there is a Sun web page where you can get MD5 signatures
   for the files on your system. Alternately, check them against an
   installation CD.

2. Nmap scan the system from another system and see what ports are open. 
   Then run a clean copy of lsof on the suspect system and see what 
   processes are listening. My guess is you'll find a backdoor ssh server.

Here are CERT's recommendations but a lot of them depend upon having
uncompromised system tools:

http://www.cert.org/tech_tips/intruder_detection_checklist.html

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list