While working with Solaris 10 terminal window, got following an unexpected broadcast message from adm (???) as follows. Its harmless, but wondering how can Unix system got infected such worm.
asr@tks> Broadcast Message from adm (???) on tks Mon Oct 13 12:10:00...
__
{" "}
*-*
( Y )
()"*"()
(_)-(_)
use@sapp> Broadcast Message from adm (???) on sapp Fri Jun 13 12:10:00...
Hi, I'm Casper , I am a bored Sun developer and I wrote this piece of code.
Broadcast Message from adm (???) on jtksf Fri Mar 13 12:10:00...
W O R M S A G A I N S T N U C L E A R K I L L E R S ______________________________________________________
\ _ _______ __________________ __ ____ ___ __ __ ____/
\ \ \ /\ / / / /\ \ | \ \ | | | | / / /
\ \ \ / \ / / / /_\ \ | |\ \ | | | | / / /
\ \ \/ /\ \/ / / ___ \ | | \ \ | | | | \ \ /
\ _\ /__\ /__/ /____\ \__| |__\ | |_| | _\ \_/
\_____________________________________________/
\ /
\ Your System Has Been Officically WANKed /
\_______________________________________/
\ \ \ /\ / / / /\ \ | \ \ | | | | / / /
\ \ \ / \ / / / /_\ \ | |\ \ | | | | / / /
\ \ \/ /\ \/ / / ___ \ | | \ \ | | | | \ \ /
\ _\ /__\ /__/ /____\ \__| |__\ | |_| | _\ \_/
\_____________________________________________/
\ /
\ Your System Has Been Officically WANKed /
\_______________________________________/
You talk of times of peace for all, and then prepare for war
Following is an explanation as described in Sun Alert 102802 which useful for anticipated such worm as well as for relief the infected system.
Sun Microsystems is aware of an active worm which exploits the in.telnetd vulnerability. Here are a few steps to help determine if a Solaris 10 or Nevada system may be infected:
$ ls -la /var/adm/wtmpxIf the permissions are:
-rw-r--rw- 1 adm adm 1116 Feb 28 12:03 wtmpx
the system may be infected. Next the following command can be run:
$ ls -la /var/adm/sa
If there is directory named .adm the system is probably infected. Other possible indications include the existence of the files:
/var/adm/.profile
/var/spool/lp/.profile
Additionally possible indications include modified crontab entries for users adm and lp.
# cd /var/spool/cron/crontabs
# grep PATH=\. *
adm:#10 1 * * * (cd /var/adm/sa/ && cd .adm && [ -x sysadm ] && PATH=. sysadm) >/dev/null 2>&1 &
lp:#10 1 * * * (cd /var/spool/lp/admins/ && cd .lp && [ -x lpsystem ] && PATH=. lpsystem) >/dev/null 2>&1 &
The following Korn shell script, inoculate.local, can be run locally on an infected system to remove the worm and prevent further re-infection by disabling the telnet service.
Copy the script into a file (for example, in /tmp or /var/tmp) and run the script as the root user.
Copy the script into a file (for example, in /tmp or /var/tmp) and run the script as the root user.
#!/bin/ksh -p
#
# Save this script as "inoculate.local" (for example, in /tmp or /var/tmp)
# and run the script as the root user
#
# Usage: inoculate.local
/usr/sbin/svcadm disable telnet || {
echo This script must run as root. 1>&2
exit 1
}
# Cleanup filesystem
/bin/rm -f /var/adm/.profile /var/spool/lp/.profile
/bin/rm -rf /var/spool/lp/admins/.lp
/bin/rm -rf /var/adm/sa/.adm
/bin/chmod 644 /var/adm/wtmpx
# Cleanup crontab
t=`/bin/mktemp /tmp/cr.XXXXXX`
/bin/crontab -l adm > $t
/bin/egrep -v 'Restarting scheduler|cd \.adm' $t | su adm -c /bin/crontab
/bin/crontab -l lp > $t
/bin/egrep -v 'Restarting scheduler|cd \.lp' $t | su lp -c /bin/crontab
/bin/rm -f $t
# Kill processes
/bin/pkill -9 -u lp 'lpshut|lpsystem|lpadmin|lpmove|lpusers|lpfilter|lpstat|lpd|lpsched|lpc'
/bin/pkill -9 -u adm 'devfsadmd|svcadm|cfgadm|kadmind|zoneadmd|sadm|sysadm|dladm| \
bootadm|routeadm|uadmin|acctadm|cryptoadm|inetadm|logadm|nlsadmin|sacadm|syseventadmd|\
ttyadmd|consadmd|metadevadm'
bootadm|routeadm|uadmin|acctadm|cryptoadm|inetadm|logadm|nlsadmin|sacadm|syseventadmd|\
ttyadmd|consadmd|metadevadm'
sepertinya kenal dengan owner blog ini
ReplyDelete