This is Tsutomu's anaylsis of the state of his system after it was halted after the break-in. The fields here are information about when and how files on the machine were accessed:
inode# size permissions linkcount owner group size date system Access/Change/Modify [ACM] filename
blocks bytes
Appears to be a "finger -l" to Rimmon. Note that in.fingerd was accessed later, so it does not appear here. This is believed to be a finger because no other server programs were accessed later. The "-l" is inferred from the accesses to the timezone files.
6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/GMT 6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/GMT+0 6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/GMT-0 6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/GMT0 6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/Greenwich 6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/UCT 6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/UTC 6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/Universal 6501 1 -rw-r--r-- 9 root staff 55 Dec 25 14:10:42 rimmon A /z/usr/share/lib/zoneinfo/Zulu
A "finger" to Rimmon. Note that the zoneinfo files were not accessed, hence no "-l".
17 1 lrwxrwxrwx 1 root wheel 10 Dec 25 14:11:00 rimmon A /z/usr/adm -> ../var/adm
3303 16 -rwxr-xr-x 1 root staff 16384 Dec 25 14:11:00 rimmon A /z/usr/etc/in.fingerd
2589 24 -rwxr-xr-x 1 root staff 24576 Dec 25 14:11:00 rimmon A /z/usr/ucb/finger
118 1 -rw-r--r-- 1 root staff 97 Dec 25 14:11:08 astarte A /z/export/root/osiris/etc/resolv.conf
A "finger -l" to Osiris. Note that even though Astarte is Osiris's fileserver, Osiris's private data was accessed as well.
61 10 -rw-r--r-- 1 root staff 9846 Dec 25 14:11:15 astarte A /z/export/root/osiris/etc/ttytab
64 2 -rw-rw-rw- 1 root staff 1080 Dec 25 14:11:15 astarte A /z/export/root/osiris/etc/utmp
2343 16 -rwxr-xr-x 1 root staff 16384 Dec 25 14:11:15 astarte A /z/usr/etc/in.fingerd
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/GMT
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/GMT+0
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/GMT-0
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/GMT0
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/Greenwich
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/UCT
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/UTC
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/Universal
4572 1 -rw-r--r-- 9 root staff 55 Dec 25 14:11:15 astarte A /z/usr/share/lib/zoneinfo/Zulu
1820 24 -rwxr-xr-x 1 root staff 24576 Dec 25 14:11:15 astarte A /z/usr/ucb/finger
Perhaps a "finger -l user" to Osiris. The user is inferred from the access to the lastlog file. There is no access to in.fingerd as Osiris still has it cached from the previous request.
14642 1 -rw-r--r-- 1 root staff 224 Dec 25 14:12:06 astarte A /z/export/root/osiris/var/adm/lastlog
An "rsh" connection to root on Osiris. Root is inferred from access to the .cshrc and .rhosts files (they are root's).
2272 16 -rwxr-xr-x 1 root staff 16384 Dec 25 14:18:37 astarte A /z/usr/etc/in.rshd 14650 1 -rw-r--r-- 1 root staff 589 Dec 25 14:18:38 astarte A /z/export/root/osiris/.cshrc 14653 1 -rw-r--r-- 1 root staff 187 Dec 25 14:18:38 astarte A /z/export/root/osiris/.rhosts
"uname" command on astarte or one of its clients. Given the recent history, almost certainly on Osiris.
1098 16 -rwxr-xr-x 1 root staff 16384 Dec 25 14:19:11 astarte A /z/usr/bin/uname
"file" command executed.
999 32 -rwxr-xr-x 1 root staff 32768 Dec 25 14:19:36 astarte A /z/usr/bin/file
"head" command executed.
1825 4 -rwxr-xr-x 1 root staff 3240 Dec 25 14:19:49 astarte A /z/usr/ucb/head
"whereis" command executed. Given the next few commands, "whereis gunzip" would be a reasonable candidate. (there is no standard place for gzip to live, if it is present at all).
13 1 lrwxrwxrwx 1 root wheel 9 Dec 25 14:20:43 astarte A /z/usr/src -> share/src
1843 8 -rwxr-xr-x 1 root staff 7744 Dec 25 14:20:43 astarte A /z/usr/ucb/whereis
17 1 lrwxrwxrwx 1 root wheel 9 Dec 25 14:20:45
astarte A /z/usr/man -> share/man
A uuencoded gzip'd file is transfered (transfer time was < 18 seconds), unpacked, and uncompressed.
1087 16 -rwxr-xr-x 1 root staff 16384 Dec 25 14:21:10 astarte A /z/usr/bin/uudecode 183233 88 -rwxr-xr-x 3 root staff 90112 Dec 25 14:21:28 astarte A /z/x/usr_u1/local/bin/gunzip 183233 88 -rwxr-xr-x 3 root staff 90112 Dec 25 14:21:28 astarte A /z/x/usr_u1/local/bin/gzip 183233 88 -rwxr-xr-x 3 root staff 90112 Dec 25 14:21:28 astarte A /z/x/usr_u1/local/bin/zcat
The file just transferred is compiled. From the list of included header files, such as "arpa/telnet.h", this is likely a backdoor access telnet program of some sort. From the access to iropt, we infer that the optimizer, "cc -O" was used. It took 19 seconds to compile.
5453 2 -r--r--r-- 1 root staff 1732 Dec 25 14:21:40 astarte A /z/usr/include/stdio.h 6786 5 -r--r--r-- 1 root staff 5041 Dec 25 14:21:40 astarte A /z/usr/include/sys/socket.h 6789 2 -r--r--r-- 1 root staff 1163 Dec 25 14:21:40 astarte A /z/usr/include/sys/stdtypes.h 6796 1 -r--r--r-- 1 root staff 399 Dec 25 14:21:40 astarte A /z/usr/include/sys/sysmacros.h 6809 3 -r--r--r-- 1 root staff 2979 Dec 25 14:21:40 astarte A /z/usr/include/sys/types.h 9463 96 -rwxr-xr-x 1 bin bin 98304 Dec 25 14:21:40 astarte A /z/usr/lib/compile 9510 80 -rwxr-xr-x 1 root staff 81920 Dec 25 14:21:40 astarte A /z/usr/lib/cpp 9462 1 -rw-r--r-- 1 bin bin 80 Dec 25 14:21:40 astarte A /z/usr/lib/lang_info 5457 1 lrwxrwxrwx 1 root wheel 11 Dec 25 14:21:41 astarte A /z/usr/include/fcntl.h -> sys/fcntl.h 5409 3 -r--r--r-- 1 root staff 2649 Dec 25 14:21:41 astarte A /z/usr/include/netdb.h 6280 6 -r--r--r-- 1 root staff 5366 Dec 25 14:21:41 astarte A /z/usr/include/netinet/in.h 5452 1 -r--r--r-- 1 root staff 563 Dec 25 14:21:41 astarte A /z/usr/include/pwd.h 5420 4 -r--r--r-- 1 root staff 3317 Dec 25 14:21:41 astarte A /z/usr/include/signal.h 6748 1 -r--r--r-- 1 root staff 180 Dec 25 14:21:41 astarte A /z/usr/include/sys/fcntl.h 6749 6 -r--r--r-- 1 root staff 5298 Dec 25 14:21:41 astarte A /z/usr/include/sys/fcntlcom.h 6772 5 -r--r--r-- 1 root staff 4890 Dec 25 14:21:41 astarte A /z/usr/include/sys/param.h 6782 2 -r--r--r-- 1 root staff 1740 Dec 25 14:21:41 astarte A /z/usr/include/sys/resource.h 6785 12 -r--r--r-- 1 root staff 11873 Dec 25 14:21:41 astarte A /z/usr/include/sys/signal.h 6790 3 -r--r--r-- 1 root staff 2771 Dec 25 14:21:41 astarte A /z/usr/include/sys/stat.h 6800 2 -r--r--r-- 1 root staff 1777 Dec 25 14:21:41 astarte A /z/usr/include/sys/time.h 6832 4 -r--r--r-- 1 root staff 3857 Dec 25 14:21:41 astarte A /z/usr/include/sys/wait.h 5455 1 -r--r--r-- 1 root staff 553 Dec 25 14:21:41 astarte A /z/usr/include/time.h 12553 2 -r--r--r-- 1 root staff 1029 Dec 25 14:21:41 astarte A /z/usr/include/vm/faultcode.h 2412 1 -r--r--r-- 1 root staff 488 Dec 25 14:21:42 astarte A /z/usr/include/arpa/inet.h 2414 4 -r--r--r-- 1 root staff 3351 Dec 25 14:21:42 astarte A /z/usr/include/arpa/telnet.h 5391 1 -r--r--r-- 1 root staff 172 Dec 25 14:21:42 astarte A /z/usr/include/errno.h 18841 5 -r--r--r-- 1 root staff 5057 Dec 25 14:21:42 astarte A /z/usr/include/sun4c/param.h 6746 5 -r--r--r-- 1 root staff 4990 Dec 25 14:21:42 astarte A /z/usr/include/sys/errno.h 6752 2 -r--r--r-- 1 root staff 1269 Dec 25 14:21:42 astarte A /z/usr/include/sys/filio.h 6756 3 -r--r--r-- 1 root staff 2905 Dec 25 14:21:42 astarte A /z/usr/include/sys/ioccom.h 6757 2 -r--r--r-- 1 root staff 1569 Dec 25 14:21:42 astarte A /z/usr/include/sys/ioctl.h 6788 4 -r--r--r-- 1 root staff 3886 Dec 25 14:21:42 astarte A /z/usr/include/sys/sockio.h 6804 7 -r--r--r-- 1 root staff 6970 Dec 25 14:21:42 astarte A /z/usr/include/sys/ttold.h 6806 2 -r--r--r-- 1 root staff 1299 Dec 25 14:21:42 astarte A /z/usr/include/sys/ttychars.h 6807 4 -r--r--r-- 1 root staff 3756 Dec 25 14:21:42 astarte A /z/usr/include/sys/ttycom.h 6808 1 -r--r--r-- 1 root staff 755 Dec 25 14:21:42 astarte A /z/usr/include/sys/ttydev.h 9515 208 -r-xr-xr-x 1 root staff 204800 Dec 25 14:21:46 astarte A /z/usr/lib/iropt 9512 152 -r-xr-xr-x 1 root staff 147456 Dec 25 14:21:49 astarte A /z/usr/lib/cg 1125 232 -r-xr-xr-x 1 root staff 221215 Dec 25 14:21:51 astarte A /z/usr/bin/as 1127 312 -rwxr-xr-x 1 root staff 303617 Dec 25 14:21:59 astarte A /z/usr/bin/ld 9423 2 -rw-r--r-- 1 root staff 1132 Dec 25 14:21:59 astarte A /z/usr/lib/crt0.o 9415 9 -rw-r--r-- 1 root staff 8478 Dec 25 14:21:59 astarte A /z/usr/lib/libc.sa.1.9.1
"strings" was run on /x/usr_u1/openwin/bin/loadmodule. (probably referenced as /usr/openwin/bin/loadmodule).
1835 5 -rwxr-xr-x 1 root staff 4904 Dec 25 14:22:20 astarte A /z/usr/ucb/strings 83057 24 -rwsr-xr-x 1 root staff 24576 Dec 25 14:22:20 astarte A /z/x/usr_u1/openwin/bin/loadmodule
Probably searching for something in /usr/kvm/modload with "egrep". Might be the output of a "strings", as "egrep" doesn't work well on binaries; strings would still be cached. Perhaps the intruder is interested in loading a kernel module.
1101 24 -rwxr-xr-x 1 root staff 24576 Dec 25 14:22:53 astarte A /z/usr/bin/egrep 11264 24 -rwxr-xr-x 1 root staff 24576 Dec 25 14:22:53 astarte A /z/usr/kvm/modload
"env" was run --- perhaps to strip the environment from something, like the backdoor program?
935 6 -rwxr-xr-x 1 root staff 5560 Dec 25 14:23:15 astarte A /z/usr/bin/env
"file" was executed.
105 4 -rw-r--r-- 1 root staff 3292 Dec 25 14:23:26 astarte A /z/export/root/osiris/etc/magic
Some kind of system status command, like "w" or "ps" was executed.
63 144 -rw-r--r-- 1 root staff 138592 Dec 25 14:24:08 astarte A /z/export/root/osiris/etc/psdatabase
Entry via the back door?
16156 1 -rw-r--r-- 1 root staff 684 Dec 25 14:24:24 astarte A /z/usr/share/lib/terminfo/u/unknown
In my home directory, /u1/tsutomu, browsing ...
16048 2 -rw-r--r-- 1 tsutomu g 1265 Dec 25 14:25:57 astarte A /z/u1/tsutomu/sun.stuff 16518 1 -rw-r--r-- 1 tsutomu g 838 Dec 25 14:28:55 astarte A /z/u1/tsutomu/r.break.again 16555 5 -rw-r--r-- 1 tsutomu g 5050 Dec 25 14:28:55 astarte A /z/u1/tsutomu/r.break.more 153822 25 -rw-r--r-- 2 tsutomu g 25080 Dec 25 14:29:54 astarte A /z/u1/tsutomu/hack/hackdir/rumors 153822 25 -rw-r--r-- 2 tsutomu g 25080 Dec 25 14:29:54 astarte A /z/u1/tsutomu/hack/rumors
"diff stel.c stelnet.c", or some such, executed.
22798 51 -rw-r--r-- 1 tsutomu g 51444 Dec 25 14:30:51 astarte A /z/u1/tsutomu/src/stel.c 22797 51 -rw-r--r-- 1 tsutomu g 51424 Dec 25 14:30:51 astarte A /z/u1/tsutomu/src/stelnet.c 923 30 -rwxr-xr-x 1 root staff 29952 Dec 25 14:30:51 astarte A /z/usr/bin/diff
More browsing.
22730 3 -rw-r--r-- 1 tsutomu g 2798 Dec 25 14:31:23 astarte A /z/u1/tsutomu/src/memtest.c
22728 1 -rw-r--r-- 1 tsutomu g 141 Dec 25 14:31:35 astarte A /z/u1/tsutomu/src/usemem.c
57 5 -rw-r--r-- 1 root staff 4202 Dec 25 14:32:28 astarte A /z/export/root/osiris/etc/inetd.conf
117 1 -rw-r--r-- 1 root staff 10 Dec 25 14:33:04 astarte A /z/export/root/osiris/etc/hosts.deny
6871 2 -rw-r--r-- 2 root staff 1323 Dec 25 14:33:22 astarte A /z/usr/share/lib/terminfo/v/vs100s
6871 2 -rw-r--r-- 2 root staff 1323 Dec 25 14:33:22 astarte A /z/usr/share/lib/terminfo/x/xterms
Appears to be fetching a file, making a directory, and untarring the file.
9511 352 -r-xr-xr-x 1 root staff 344586 Dec 25 14:34:10 astarte A /z/usr/lib/ccom
1150 4 -rwxr-xr-x 1 root staff 3416 Dec 25 14:34:15 astarte A /z/usr/bin/id
58 2 -rw-r--r-- 1 root staff 1940 Dec 25 14:34:26 astarte A /z/export/root/osiris/etc/services
940 3 -rwxr-xr-x 1 root staff 2864 Dec 25 14:36:32 astarte A /z/usr/bin/mkdir
961 152 -rwxr-xr-x 1 root staff 147456 Dec 25 14:36:59 astarte A /z/usr/bin/tar
Running a "make".
924 128 -rwxr-xr-x 1 root staff 115472 Dec 25 14:37:16 astarte A /z/usr/bin/make 929 1 -rwxr-xr-x 1 root staff 164 Dec 25 14:37:17 astarte A /z/usr/bin/mach 928 1 -rwxr-xr-x 1 root staff 63 Dec 25 14:37:17 astarte A /z/usr/bin/true 6833 4 -r--r--r-- 1 root staff 3942 Dec 25 14:37:17 astarte A /z/usr/include/make/default.mk 11260 1 -rwxr-xr-x 1 root staff 1010 Dec 25 14:37:17 astarte A /z/usr/kvm/arch
Compiling a program which uses curses, a package for handling screens and cursor movements. This program also cares about stuff having to do with terminal I/O (termio.h).
7384 6 -r--r--r-- 1 root staff 5180 Dec 25 14:37:18 astarte A /z/usr/5include/stdio.h 7652 1 -r--r--r-- 1 root staff 224 Dec 25 14:37:18 astarte A /z/usr/5include/sys/fcntl.h 7376 24 -r--r--r-- 1 root staff 23646 Dec 25 14:37:19 astarte A /z/usr/5include/curses.h 7386 2 -r--r--r-- 1 root staff 1489 Dec 25 14:37:19 astarte A /z/usr/5include/time.h 7378 1 -r--r--r-- 1 root staff 513 Dec 25 14:37:19 astarte A /z/usr/5include/unctrl.h 6799 6 -r--r--r-- 1 root staff 5837 Dec 25 14:37:19 astarte A /z/usr/include/sys/termios.h 5440 1 lrwxrwxrwx 1 root wheel 13 Dec 25 14:37:21 astarte A /z/usr/include/stropts.h -> sys/stropts.h 6792 3 -r--r--r-- 1 root staff 3016 Dec 25 14:37:21 astarte A /z/usr/include/sys/stropts.h 6813 5 -r--r--r-- 1 root staff 4481 Dec 25 14:37:21 astarte A /z/usr/include/sys/unistd.h 6820 1 -r--r--r-- 1 root staff 539 Dec 25 14:37:21 astarte A /z/usr/include/sys/varargs.h 5445 1 lrwxrwxrwx 1 root wheel 12 Dec 25 14:37:21 astarte A /z/usr/include/unistd.h -> sys/unistd.h 5446 1 lrwxrwxrwx 1 root wheel 13 Dec 25 14:37:21 astarte A /z/usr/include/varargs.h -> sys/varargs.h 6798 1 -r--r--r-- 1 root staff 748 Dec 25 14:37:24 astarte A /z/usr/include/sys/termio.h 7387 1 lrwxrwxrwx 1 root wheel 11 Dec 25 14:37:25 astarte A /z/usr/5include/fcntl.h -> sys/fcntl.h 5444 1 lrwxrwxrwx 1 root wheel 12 Dec 25 14:37:25 astarte A /z/usr/include/termio.h -> sys/termio.h 963 1 lrwxrwxrwx 1 root wheel 14 Dec 25 14:37:27 astarte A /z/usr/bin/cc -> ../lib/compile 8518 9 -rw-r--r-- 1 root staff 8478 Dec 25 14:37:28 astarte A /z/usr/5lib/libc.sa.2.9.1 8530 248 -rw-r--r-- 3 root staff 242342 Dec 25 14:37:28 astarte A /z/usr/5lib/libcurses.a 8530 248 -rw-r--r-- 3 root staff 242342 Dec 25 14:37:28 astarte A /z/usr/5lib/libtermcap.a 8530 248 -rw-r--r-- 3 root staff 242342 Dec 25 14:37:28 astarte A /z/usr/5lib/libtermlib.a
Compiling a program which appears to be a kernel module, which we soon discover to be "tap". Note invocations of programs for determining kernel architecture, etc.
930 1 lrwxrwxrwx 1 root wheel 11 Dec 25 14:38:22 astarte A /z/usr/bin/arch -> ../kvm/arch 970 1 lrwxrwxrwx 1 root wheel 12 Dec 25 14:38:22 astarte A /z/usr/bin/sparc -> ../kvm/sparc 984 1 lrwxrwxrwx 1 root wheel 12 Dec 25 14:38:22 astarte A /z/usr/bin/sun4c -> ../kvm/sun4c 6791 17 -r--r--r-- 1 root staff 16716 Dec 25 14:38:22 astarte A /z/usr/include/sys/stream.h 6815 8 -r--r--r-- 1 root staff 7252 Dec 25 14:38:22 astarte A /z/usr/include/sys/user.h 11242 1 lrwxrwxrwx 1 root wheel 11 Dec 25 14:38:22 astarte A /z/usr/kvm/sparc -> ../bin/true 11254 1 lrwxrwxrwx 1 root wheel 11 Dec 25 14:38:22 astarte A /z/usr/kvm/sun4c -> ../bin/true 1854 1 lrwxrwxrwx 1 root wheel 14 Dec 25 14:38:22 astarte A /z/usr/ucb/cc -> ../lib/compile 14648 1 lrwxrwxrwx 1 root wheel 7 Dec 25 14:38:23 astarte A /z/export/root/osiris/lib -> usr/lib 5447 1 lrwxrwxrwx 1 root wheel 14 Dec 25 14:38:23 astarte A /z/usr/include/machine -> ../kvm/machine 16639 10 -r--r--r-- 1 root staff 9966 Dec 25 14:38:23 astarte A /z/usr/include/sun/vddrv.h 18842 2 -r--r--r-- 1 root staff 1839 Dec 25 14:38:23 astarte A /z/usr/include/sun4c/pcb.h 18845 7 -r--r--r-- 1 root staff 6763 Dec 25 14:38:23 astarte A /z/usr/include/sun4c/reg.h 6729 6 -r--r--r-- 1 root staff 5371 Dec 25 14:38:23 astarte A /z/usr/include/sys/audit.h 6735 2 -r--r--r-- 1 root staff 1216 Dec 25 14:38:23 astarte A /z/usr/include/sys/conf.h 6747 2 -r--r--r-- 1 root staff 1320 Dec 25 14:38:23 astarte A /z/usr/include/sys/exec.h 6751 3 -r--r--r-- 1 root staff 2475 Dec 25 14:38:23 astarte A /z/usr/include/sys/file.h 6761 1 -r--r--r-- 1 root staff 280 Dec 25 14:38:23 astarte A /z/usr/include/sys/label.h 6776 7 -r--r--r-- 1 root staff 6931 Dec 25 14:38:23 astarte A /z/usr/include/sys/proc.h 6783 3 -r--r--r-- 1 root staff 2060 Dec 25 14:38:23 astarte A /z/usr/include/sys/session.h 6810 1 -r--r--r-- 1 root staff 803 Dec 25 14:38:23 astarte A /z/usr/include/sys/ucred.h 11233 1 lrwxrwxrwx 1 root wheel 16 Dec 25 14:38:23 astarte A /z/usr/kvm/machine -> ../include/sun4c
A "pwd" somewhere.
945 3 -rwxr-xr-x 1 root staff 2128 Dec 25 14:39:12 astarte A /z/usr/bin/pwd
The kernel module is loaded, followed by a "modstat" to verify that it loaded properly and get module info.
2314 1 lrwxrwxrwx 1 root wheel 14 Dec 25 14:39:27 astarte A /z/usr/etc/modload -> ../kvm/modload
14657 1304 -rwxr-xr-x 1 root wheel 1322027 Dec 25 14:39:30 astarte A /z/export/root/osiris/vmunix
1136 16 -rwxr-xr-x 1 root staff 16384 Dec 25 14:39:30 astarte A /z/usr/bin/strip
14 1 lrwxrwxrwx 1 root wheel 10 Dec 25 14:39:32 astarte A /z/usr/tmp -> ../var/tmp
2313 16 -rwxr-xr-x 1 root staff 16384 Dec 25 14:39:39 astarte A /z/usr/etc/modstat
Create "/dev/tap", presumably to access the kernel module just loaded.
2294 3 -rwxr-xr-x 1 root staff 2888 Dec 25 14:40:30 astarte A /z/usr/etc/mknod 14102 0 crwxrwxrwx 1 root staff 37, 59 Dec 25 14:40:31 astarte A /z/export/root/osiris/dev/tap 13384 12 drwxr-sr-x 2 root staff 11776 Dec 25 14:40:31 astarte M /z/export/root/osiris/dev 14102 0 crwxrwxrwx 1 root staff 37, 59 Dec 25 14:40:31 astarte M /z/export/root/osiris/dev/tap
Perhaps running the curses program just compiled?
8519 552 -rwxr-xr-x 1 root staff 557056 Dec 25 14:46:42 astarte A /z/usr/5lib/libc.so.2.9.1
Perhaps an attempt to "rlogin" to ariel? It failed.
2106 0 -r--r--r-- 1 root staff 0 Dec 25 14:51:14 ariel A /z/etc/hosts.equiv
Intruder appears on Ariel, almost 4 minutes later. Mechanism is unknown --- perhaps has something to do with the "tap" module just loaded? Repeat the same uudecode drill as before, to download and compile a backdoor program.
2228 16 -rwxr-xr-x 1 root staff 16384 Dec 25 14:55:10 ariel A /z/usr/bin/uudecode
Compiling the backdoor telnet program. Note the same headers as above, on Osiris.
12366 1 -r--r--r-- 1 root staff 563 Dec 25 14:56:16 ariel A /z/usr/include/pwd.h 12367 2 -r--r--r-- 1 root staff 1732 Dec 25 14:56:16 ariel A /z/usr/include/stdio.h 15432 2 -r--r--r-- 1 root staff 1740 Dec 25 14:56:16 ariel A /z/usr/include/sys/resource.h 15436 5 -r--r--r-- 1 root staff 5041 Dec 25 14:56:16 ariel A /z/usr/include/sys/socket.h 12305 1 -r--r--r-- 1 root staff 172 Dec 25 14:56:17 ariel A /z/usr/include/errno.h 12371 1 lrwxrwxrwx 1 root wheel 11 Dec 25 14:56:17 ariel A /z/usr/include/fcntl.h -> sys/fcntl.h 12361 1 lrwxrwxrwx 1 root wheel 14 Dec 25 14:56:17 ariel A /z/usr/include/machine -> ../kvm/machine 12323 3 -r--r--r-- 1 root staff 2649 Dec 25 14:56:17 ariel A /z/usr/include/netdb.h 14346 6 -r--r--r-- 1 root staff 5366 Dec 25 14:56:17 ariel A /z/usr/include/netinet/in.h 12334 4 -r--r--r-- 1 root staff 3317 Dec 25 14:56:17 ariel A /z/usr/include/signal.h 41048 5 -r--r--r-- 1 root staff 4901 Dec 25 14:56:17 ariel A /z/usr/include/sun4/param.h 15396 5 -r--r--r-- 1 root staff 4990 Dec 25 14:56:17 ariel A /z/usr/include/sys/errno.h 15398 1 -r--r--r-- 1 root staff 180 Dec 25 14:56:17 ariel A /z/usr/include/sys/fcntl.h 15399 6 -r--r--r-- 1 root staff 5298 Dec 25 14:56:17 ariel A /z/usr/include/sys/fcntlcom.h 15422 5 -r--r--r-- 1 root staff 4890 Dec 25 14:56:17 ariel A /z/usr/include/sys/param.h 15435 12 -r--r--r-- 1 root staff 11873 Dec 25 14:56:17 ariel A /z/usr/include/sys/signal.h 15482 4 -r--r--r-- 1 root staff 3857 Dec 25 14:56:17 ariel A /z/usr/include/sys/wait.h 28705 2 -r--r--r-- 1 root staff 1029 Dec 25 14:56:17 ariel A /z/usr/include/vm/faultcode.h 35881 1 lrwxrwxrwx 1 root wheel 15 Dec 25 14:56:17 ariel A /z/usr/kvm/machine -> ../include/sun4 53274 1 -r--r--r-- 1 root staff 488 Dec 25 14:56:18 ariel A /z/usr/include/arpa/inet.h 53276 4 -r--r--r-- 1 root staff 3351 Dec 25 14:56:18 ariel A /z/usr/include/arpa/telnet.h 15402 2 -r--r--r-- 1 root staff 1269 Dec 25 14:56:18 ariel A /z/usr/include/sys/filio.h 15406 3 -r--r--r-- 1 root staff 2905 Dec 25 14:56:18 ariel A /z/usr/include/sys/ioccom.h 15407 2 -r--r--r-- 1 root staff 1569 Dec 25 14:56:18 ariel A /z/usr/include/sys/ioctl.h 15438 4 -r--r--r-- 1 root staff 3886 Dec 25 14:56:18 ariel A /z/usr/include/sys/sockio.h 15454 7 -r--r--r-- 1 root staff 6970 Dec 25 14:56:18 ariel A /z/usr/include/sys/ttold.h 15456 2 -r--r--r-- 1 root staff 1299 Dec 25 14:56:18 ariel A /z/usr/include/sys/ttychars.h 15457 4 -r--r--r-- 1 root staff 3756 Dec 25 14:56:18 ariel A /z/usr/include/sys/ttycom.h 15458 1 -r--r--r-- 1 root staff 755 Dec 25 14:56:18 ariel A /z/usr/include/sys/ttydev.h 69771 208 -r-xr-xr-x 1 root staff 204800 Dec 25 14:56:20 ariel A /z/usr/lib/iropt 69768 152 -r-xr-xr-x 1 root staff 147456 Dec 25 14:56:23 ariel A /z/usr/lib/cg
Probably checking to see where stuff is being logged to.
2119 2 -rw-r--r-- 1 root staff 1805 Dec 25 15:00:33 ariel A /z/etc/syslog.conf
Appears to be compiling a program for modifying file access/modification/creation times. Inferred from the header files accessed.
12337 2 -r--r--r-- 1 root staff 1068 Dec 25 15:05:08 ariel A /z/usr/include/string.h 15440 3 -r--r--r-- 1 root staff 2771 Dec 25 15:05:08 ariel A /z/usr/include/sys/stat.h 15439 2 -r--r--r-- 1 root staff 1163 Dec 25 15:05:08 ariel A /z/usr/include/sys/stdtypes.h 15446 1 -r--r--r-- 1 root staff 399 Dec 25 15:05:08 ariel A /z/usr/include/sys/sysmacros.h 15450 2 -r--r--r-- 1 root staff 1777 Dec 25 15:05:08 ariel A /z/usr/include/sys/time.h 15459 3 -r--r--r-- 1 root staff 2979 Dec 25 15:05:08 ariel A /z/usr/include/sys/types.h 12369 1 -r--r--r-- 1 root staff 553 Dec 25 15:05:08 ariel A /z/usr/include/time.h
Presumably tweaking access/modification times on something.
41005 16 -rwxr-xr-x 1 root staff 16384 Dec 25 15:08:50 ariel A /z/usr/5bin/touch
New junk mail received. (unrelated to the attack).
4969 3728 -rw--w---- 1 tsutomu daemon 3806752 Dec 25 15:10:22 ariel C /z/u1/tsutomu/etc/ts.mail
Browsing my files on Ariel ...
64358 1 -rw-r--r-- 1 tsutomu g 669 Dec 25 15:14:53 ariel C /z/u1/tsutomu/security/FILE-FORMAT 64359 1 -rw-r--r-- 1 tsutomu g 136 Dec 25 15:14:53 ariel C /z/u1/tsutomu/security/README 64360 39 -rw-r--r-- 1 tsutomu g 39182 Dec 25 15:14:53 ariel C /z/u1/tsutomu/security/christmas.exec 64361 38 -rw-r--r-- 1 tsutomu g 38331 Dec 25 15:14:53 ariel C /z/u1/tsutomu/security/epidemic-control
Copyright © 1995 Vicious
Fishes Web Design and Dan
Meriwether. All rights reserved.
Contact: webmaster@takedown.com