“sexygurl” rootkit hack
:?::mad::???:Found out today at school that a bunch of Sun workstations have been hacked by an rpcbind vulerability which affects portmapper in Solaris 8 and 9. The hack is pretty simple and can be conducted through available scripts on IRC and on the internet. I have traced the hacked back to a machine in Cincinnati using Fuse Internet Service. They are behind a very stateful firewall and are difficult to track down. My IDS system logged interactions between that IP and a bunch of Sun OS machines on campus (through suspicious ports and the like), so we have concrete proof and we are in the process of following up with the ISP. I hate script kiddies! They got in through this vulnerability and installed a very old rootkit (of sexygurl fame), replaced a bunch of files in /usr/bin etc. OK I got sidetracked looking for information. Anyways, the actual fault, in my humble opinion, lies with Sun. They released a patch for the sadmin vulnerability in question, but it failed to show up on their critical ptach list till the 15th of september. Moral of the story? If you are on an always on connection and want a secure system, cron patch jobs every other day or setup an auto-update schedule through Windoze, you will suffer if you slack!
5 Comments »
The URI to TrackBack this entry is: http://mindfulmusings.net/weblog/2003/09/30/sexygurl-rootkit-hack/trackback/
RSS feed for comments on this post.
Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
twa
Comment by Anonymous 12/19/2003 @ 3:27 pmwhy are you against that hacker you shuold suport
Comment by phreak 3/1/2004 @ 11:46 amhim
hahaha …. cute
Comment by German Carrasco 6/23/2004 @ 4:14 amSEXGURL
Comment by DAIM50 7/15/2004 @ 5:40 amboy&girl
Comment by kamran 2/13/2005 @ 5:37 am