Wurzel

iTrader: (1)

Not quite sure how relevent this is, the more I look into it the more it seems to be old hat, but I only found out about it today so decided to share it with anyone who is interested.

Here is a link to the description of the worm and what it does, and there are instructions below as to how to disable the Wanuk Worm this is the link to the description.

http://www.virusbtn.com/virusbulletin/archive/2007/04/vb200704-solaris-worm.dkb

Don't do an
# su - adm
or
# su - lp

as this will execute a malicious .profile of each user!

Look in /var/adm/sa/.adm to see if there are any .lp-door files or any other .xxxx files.

Move (and chmod 444 these files on your system if they are present)

# find /var -mtime +3650 | grep -v apache /var/adm/.profile.weg /var/adm/.sa.wegdamit/.adm.wegdamit/.lp-door.i86pc.wegdamit

/var/adm/.sa.wegdamit/.adm.wegdamit/inetadm.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.sun4.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.i86pc.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/devfsadmd.wegdamit
/var/adm/.sa.wegdamit/.adm.wegdamit/.lp-door.sun4.wegdamit
/var/spool/lp/admins/.lp.wegdamit/lpsystem.wegdamit
/var/spool/lp/admins/.lp.wegdamit/.lp-door.i86pc.wegdamit
/var/spool/lp/.profile.wegdamit
/var/spool/cron/crontabs/adm
/var/spool/cron/crontabs/lp

svcadm disable svc:/network/telnet

After that - I expect that the system to be clean but I don't know if it's really fully cleaned.

HTH

If not just ignore it.

Steve

Boro

iTrader: (1)

what he said

NotoriousREV

I love Solaris viruses and hacks because a) they're usually pretty creative and b) they're easy to get rid of without a reinstall (unlike some other OSs I won't mention)