This is an old exploit, you need to maintain the patches your
system(s). A good number or sgi boxes have been cracked this way.
The latest vailalabe IRIX version is 6.5.6, (.7 expected any day).
A good place to start is at the sgi server, check for security related
info:
http://www.sgi.com/Support/security/security.html
http://www.sgi.com/Support/security/advisories.html
In particular:
ftp://sgigate.sgi.com/security/19981005-01-PX
-------------------
November 1998
19981005-01-P: Vulnerability in IRIX autofsd
=================
**** WARNING ****
=================
Disabling autofs(1M) daemon will prevent users from automatically
mounting remote file systems. The automount(1M) daemon can be used
as a temporary workaround. See the ONC3/NFS Administrator's Guide
which is available online from the insight program or via the web:
http://techpubs.sgi.com/library/
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Verify autofs(1M) daemon is enabled.
# chkconfig
Flag State
==== =====
autofs on
3) Disable autofs(1M) daemon.
# chkconfig autofs off
4) Verify autofs(1M) daemon has been disabled.
# chkconfig
Flag State
==== =====
autofs off
5) Reboot the system
# reboot
----------------------
You might also consider a re-install, who knows what else the cracker
mihgt have done.
Good luck, and Happy 1900,
Rudi
-----------------------------------------
On 31 Dec, Yiu-Fai Lam wrote:
= Dear Folks,
= ATTENTION:
=
= Sorry to find out during the Christmas break that hacker broke in my
= system, running IRIS 6.5.0 .
= Apparently, a .rhosts file was created "+ + " and new users accounts
= were set up with no passwords and with the power as root.
= in SYSLOG shows that once the rhosts was created, the hackers entered
= via the illegal accounts and installed an unkown number of sniff
= programs in my system disks.
= They created folders : afs_iris and nn , inwhich the are sniff programs
= to spring to other sites.
=
=
= The following attachement gave you some trace of what they did.
= While I am trying to get more export helps, please let me know if you
= have any comment or experience similar attacks during the same period of
= time.
= Appreciate any help you are willing to share,
=
= Well, what a way to spend the New Year Eve before the Y2K!
=
= Sincerely,
= Yiu-fai Lam
=