August 29th, 2003, 10:55 PM
Post Hack Clean Up
Well, I'm attempting to recover a server that was massively compromised. The server is a Sun Solaris 8 box. They used the CDE vulnerability to get in. Closing the hole is easy, but they installed a root toolkit sol.tar.gz on the system and I can't seem to find a copy on the net or any information about how to remove it. Any help?
August 29th, 2003, 11:30 PM
I would reinstall , if you want a copy to look at http://www.l0t3k.org/tools/Rootkit/
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
August 30th, 2003, 12:40 AM
Your best bet is to reinstall, once you're rooted, you'll never know if the kit was modified to backdoor files that you wouldn't be aware of by checking the source code of the original kit....
"It is a shame that stupidity is not painful" - Anton LaVey
August 30th, 2003, 12:58 AM
reinstalling solaris on a server.. while all your folks are SOL.. that would suck.
but it might have to happen that way..
I don't have any anwsers but I did find an interesting page.
August 30th, 2003, 01:15 AM
Well if you have Solaris 8, here is a tut I wrote to get you going:
(USE SOFTWARE DISK ONE & TWO)
Press "Stop and A" at same time if currently logged into system
1. Type: boot cdrom (at the "ok" prompt)
(Wait for system to process)
2. Select and answer the proper Language Selection
3. Select Local
4. At the Solaris Installation Screen: Press continue
5. At the Identify this system Screen: Press Continue
6. At the Network Connectivity Select: "yes"
7. At the DHCP Screen Select: "no"
8. At the Primary Network Interface Select: hme0 or qfe0 or eri0 depending upon the machine
9. Hostname Type: e.g. : the wall4.haxor.com
10. IP Address Screen: assign IP address
11. Subnet screen Select: "yes"
12. Net Mask Screen: (type your netmask e.g 255.0.0.0)
13. IPv6 Screen Select: "no"
Confirm Network Information (continue)
14. Configure Security Policy Screen select: "no" for kerberos
Confirm information (continue)
15. Name Service Screen Select: DNS
16. Domain Name Screen Select: haxor.com
17. DNS Server addresses : e.g. 63.68.148.xx
18. DNS Search List Screen : "leave blank"
Confirm Information (continue)
19. Name Service Error Screen: type no
20. Time Zone Screen : select proper zone (Geographic Region) Select: set
21. Geographic Region Screen Select: United States/Eastern or appropriate area
22. Date & Time: choose correct time : continue
23. Solaris Interactive Installation Select: continue
24. Solaris Interactive Installation Select: continue
25. Select Geographic Regions : Select the triangle on the left for North America> then select USA select: continue
26. Select Software Choose: Developer System Support
*select to include Solaris 64 bit support (make sure square is black which indicates selected)
**. Select disk: more to right
27. Select Disks: already chosen "continue"
28. Preserve Data Select : continue
29. Automatically layout file system Select: Manual Layout
30. File System and Disk Layout Select: Customize
( /swap): twice the amount of RAM
(overlap ): leave to default setting
(/var ): 1/3 of freespace
(/export/home): 1/3 of freespace
(/usr): the free space that is left
31. Verify Information Select: continue
32. Mount Remote file System Select: continue
33. Profile Select: Begin Installation
34. Select Auto Reboot
Wait for Installation to complete
35. Will ask you for Root Password: 7charPassword
36. Specify Media from which Solaris will install Select: CD
Insert Second CD
37. Select: OK
38. Installation Summary Click: Next
39. Reboot Screen: Reboot NOW
40. Enter user name: root
41. Select: Common Desktop Environment Screen
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
August 30th, 2003, 03:51 AM
hell yes it would suck, but it's better than putting the server back in the wild only to find out it still has holes
I hate this place, nothing works here, I\'ve been here for 7 years, the medication does\'nt work...