Compromised Solaris 9

you need to review the ports that you have opened form to the internet.

Please list them! The best way to check all the open ports is to use a port scanner, this might also help to identify ports that an attacker might have opned on the node. Scan from both inside the network and also form the DMZ.

You have a problem and need to do some serious investigation, I would say got in. Also check with other admins, if any.

Do you have SNORT/SANCP/SGUIL/Cisco MARS etc. configured on for your DMZ? Check with your network admin.

this might help:

http://www.ucl.ac.uk/cert/nix_intrusion.pdf

HvRa at 2007-7-10 1:53:39 >

We have following ports are opened and all these ports are required to access application installed on this server:

Ports:

7777, 5631, 5632, 5801, 1521, 4041, 5051, 7778, 500, 8888,

Also, SSH (22) is opened for few selective IPs.

We don't have any tools like SNORT/SANCP etc. configured.

IF any one can suggest some site/docs that will help to fix the problem. I can not re-install the system. Do you aware about tools that will help to find such problems. I have couple of more servers in same network and doubt whetgher they also compromised.

Vijendra.Jaina at 2007-7-10 1:53:39 >

Since this server is exposed to the Internet, you should not have ftp, tftp, telnet, rsh, rlogin and rcp and their respectiv daemons available on the system -- that is, the executables should be removed (this is not an exhaustive list). Rely solely on using ssh to access the system for maintenance, and scp for file transfers.

Make sure you have removed anonymous, and uucp and other none essential users from passwd and shadow.

Even if there is a firewall between tha server and the Internet, there should also be a firewall between it and the rest of your network that acts like a one-way mirror, only letting inside servers to access the exposed server, not allowing the exposed server to reach inside.

Since this is an Oracle server, write the system backups to a filesystem that is on appropriate Enterprise storage, then either use scp to pull the data inside for backup to tape, or use the storage's internal copying capability to bring the data to a separate secure set of volumes that can be mounted inside for backup to tape. Restoration works the same way, either push to the landing site using scp or land to disk internally, copy to external landing disk, then mount those disk and use to recover the database.

Chasmana at 2007-7-10 1:53:39 >

Seriously, your best option is to completely re-install. There's no telling what kind of things the miscreant left behind on your system and what backdoors he installed for himself (that have not been detected).

Also, go ahead and change -all- the passwords on the system (or your network if those passwords are the same for more than one system). It's a safe bet the guy's took your /etc/shadow and that he's already gotten all the passwords in there.

Cailin_Coilleacha at 2007-7-10 1:53:40 >