Sun Microsystems is aware of an active worm which exploits the in.telnetd vulnerability described in Sun Alert 102802.
Here are a few steps to help determine if a Solaris 10 or Nevada system may be infected:
$ ls -la /var/adm/wtmpx
If the permissions are:
-rw-r--rw- 1 adm adm 1116 Feb 28 12:03 wtmpxthe system may be infected. Next the following command can be run:
$ ls -la /var/adm/sa
If there is directory named .adm the system is probably infected. Other possible indications include the existence of the files:
/var/adm/.profile
/var/spool/lp/.profile
Additionally possible indications include modified crontab entries for users adm and lp.
# cd /var/spool/cron/crontabs
# grep PATH=\. *
adm:#10 1 * * * (cd /var/adm/sa/ && cd .adm && [ -x sysadm ] && PATH=. sysadm) >/dev/null 2>&1 &
lp:#10 1 * * * (cd /var/spool/lp/admins/ && cd .lp && [ -x lpsystem ] && PATH=. lpsystem) >/dev/null 2>&1 &
The following Korn shell script, inoculate.local, can be run locally on an infected system as the root user to remove the worm and prevent further re-infection by disabling the telnet service.
#!/bin/ksh -p
#
# Usage: inoculate.local
/usr/sbin/svcadm disable telnet || {
echo This script must run as root. 1>&2
exit 1
}
# Cleanup filesystem
/bin/rm -f /var/adm/.profile /var/spool/lp/.profile
/bin/rm -rf /var/spool/lp/admins/.lp
/bin/rm -rf /var/adm/sa/.adm
/bin/chmod 644 /var/adm/wtmpx
# Cleanup crontab
t=`/bin/mktemp /tmp/cr.XXXXXX`
/bin/crontab -l adm > $t
/bin/egrep -v 'Restarting scheduler|cd \.adm' $t | su adm -c /bin/crontab
/bin/crontab -l lp > $t
/bin/egrep -v 'Restarting scheduler|cd \.lp' $t | su lp -c /bin/crontab
/bin/rm -f $t
# Kill processes
/bin/pkill -9 -u lp 'lpshut|lpsystem|lpadmin|lpmove|lpusers|lpfilter|lpstat|lpd|lpsched|lpc'
/bin/pkill -9 -u adm 'devfsadmd|svcadm|cfgadm|kadmind|zoneadmd|sadm|sysadm|dladm|bootadm|routeadm|uadmin|acctadm|cryptoadm|inetadm|logadm|nlsadmin|sacadm|syseventadmd|ttyadmd|consadmd|metadevadm'
没有评论:
发表评论