Thanks to:
Casper Dik
Andrew Nordby
John Hilger
Jerry Springer
Richard Jankowski
Daniel Luechtefeld
Chad Price
Rob McCauley
Jeff Kennedy
John Hackett
Matt Reynolds
My system WAS hacked last week by someone using either rpc.rstatd or
rcp.ttdbserverd exploits, that's why performance meter wasn't working
properly. Luckly I found all the files he instaled and was able to
restore them. He managed to implant these trojan horses:
/usr/bin/login
/usr/bin/.ssh/cnb
/usr/bin/.ssh/milk
/usr/bin/.ssh/pageout
/usr/bin/netstat
/usr/bin/ps
/usr/sbin/in.rlogind
/usr/dt/bin/rcp.ttdbserverd
Original Question:
==================
My performance meter was showing a R.I.P sign and I didn't know if it
was a hacker's treat.
Solution:
=========
The "RIP sign is a normal feature of Solaris perfmeter.
It indicates that perfmeter cannot contact rpc.rstatd.
Most of the people that answered sugested me to reinstall the system
from media and apply all security patches before I reattach it to the
net.
--
''~``
( o o )
+------------------.oooO--(_)--Oooo.------------------+
|Ivan de Aquino xxx-21-574-6500 |
|xxx-21-574-6534 .oooO www.ciet.senai.br|
|Systems Admin ( ) Oooo. Rio de janeiro |
+---------------------\ (----( )--------------------+
(_) ) /
(_/
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:34 CDT