One our Sun (Varian) NMR consoles has just been broken into by this
exploit.
Here is a message from our network services...
--Mike Strain
---------- Forwarded message ----------
> Subject: uosecurity: Sun Solaris CDE recent compromise...
Just an early warning... We have seen recently
what we believe to be yet another Sun CDE compromise on campus.
It's likely that the dtspc / dtspcd process was
overflowed and used to get root.
http://www.cert.org/advisories/CA-2001-31.html
In this case, modified binaries were installed, ps/ls/netstat/....
One footprint of this particular local attack would be recent
modification dates on the files in /usr/bin/mc*
ls -l /usr/bin/mc*
In this case, port attempts against port 6112 were observed.
If you are running CDE, and you are not packet filtering, you
may be in trouble. You might try this command:
pkgchk -l -p /usr/bin/ls
I continue to recommend that Solaris users do not run CDE or
the processes associated with it. The history of compromises
against the CDE package speaks for itself.
Received on Thu Feb 14 2002 - 17:41:23 MST