Solaris 10 Worm
#1
Scooby Senior
Thread Starter
iTrader: (1)
Join Date: Nov 2000
Location: Wildberg, Germany/Reading, UK
Posts: 9,706
Likes: 0
Received 73 Likes
on
54 Posts
Solaris 10 Worm
Not quite sure how relevent this is, the more I look into it the more it seems to be old hat, but I only found out about it today so decided to share it with anyone who is interested.
Here is a link to the description of the worm and what it does, and there are instructions below as to how to disable the Wanuk Worm this is the link to the description.
http://www.virusbtn.com/virusbulletin/archive/2007/04/vb200704-solaris-worm.dkb
Don't do an
# su - adm
or
# su - lp
as this will execute a malicious .profile of each user!
Look in /var/adm/sa/.adm to see if there are any .lp-door files or any other .xxxx files.
Move (and chmod 444 these files on your system if they are present)
# find /var -mtime +3650 | grep -v apache /var/adm/.profile.weg /var/adm/.sa.wegdamit/.adm.wegdamit/.lp-door.i86pc.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/inetadm.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.sun4.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.i86pc.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/devfsadmd.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.lp-door.sun4.wegdamit
/var/spool/lp/admins/.lp.wegdamit/lpsystem.wegdamit
/var/spool/lp/admins/.lp.wegdamit/.lp-door.i86pc.wegdamit
/var/spool/lp/.profile.wegdamit
/var/spool/cron/crontabs/adm
/var/spool/cron/crontabs/lp
svcadm disable svc:/network/telnet
After that - I expect that the system to be clean but I don't know if it's really fully cleaned.
HTH
If not just ignore it.
Steve
Here is a link to the description of the worm and what it does, and there are instructions below as to how to disable the Wanuk Worm this is the link to the description.
http://www.virusbtn.com/virusbulletin/archive/2007/04/vb200704-solaris-worm.dkb
Don't do an
# su - adm
or
# su - lp
as this will execute a malicious .profile of each user!
Look in /var/adm/sa/.adm to see if there are any .lp-door files or any other .xxxx files.
Move (and chmod 444 these files on your system if they are present)
# find /var -mtime +3650 | grep -v apache /var/adm/.profile.weg /var/adm/.sa.wegdamit/.adm.wegdamit/.lp-door.i86pc.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/inetadm.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.sun4.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.i86pc.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/devfsadmd.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.lp-door.sun4.wegdamit
/var/spool/lp/admins/.lp.wegdamit/lpsystem.wegdamit
/var/spool/lp/admins/.lp.wegdamit/.lp-door.i86pc.wegdamit
/var/spool/lp/.profile.wegdamit
/var/spool/cron/crontabs/adm
/var/spool/cron/crontabs/lp
svcadm disable svc:/network/telnet
After that - I expect that the system to be clean but I don't know if it's really fully cleaned.
HTH
If not just ignore it.
Steve
Last edited by Wurzel; 14 November 2007 at 11:58 AM.
Thread
Thread Starter
Forum
Replies
Last Post