Earlier in the week we encountered two Solaris hosts on our internal network that were "down". After some investigation it was discovered that MANY files and links in the /usr/lib directory structure were gone. After recovering to a point that we could reboot, we check the messages file and find that both servers began reporting errors about missing lib files at around the same time on the same night.
On both boxes, we found a new tar file in the root directory called 2003_Feb_05_22_30_01.tar. This tar file is reported as "English text" when it evaluated with the file command. It reports it's size as 1024. Running cat against the file returns nothing. If I vi the file it looks like an empty file, however the feedback line at the bottom of the vi session reports "0 lines, 1024 characters (1024 null)".
I am not seeking help in recovery - we've done that. Anyone know of a hack/virus going around with similar symptoms? Since the affected boxes were on the internal network (no others were "hit"
I would normally suspect an internal attack or errant program. However, I see in a very recent post where another Tek-Tip user is reporting suspiciously similar events.
Thanks in advance.
Joe
On both boxes, we found a new tar file in the root directory called 2003_Feb_05_22_30_01.tar. This tar file is reported as "English text" when it evaluated with the file command. It reports it's size as 1024. Running cat against the file returns nothing. If I vi the file it looks like an empty file, however the feedback line at the bottom of the vi session reports "0 lines, 1024 characters (1024 null)".
I am not seeking help in recovery - we've done that. Anyone know of a hack/virus going around with similar symptoms? Since the affected boxes were on the internal network (no others were "hit"
I would normally suspect an internal attack or errant program. However, I see in a very recent post where another Tek-Tip user is reporting suspiciously similar events.Thanks in advance.
Joe