[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sun-managers
Subject:    Cybercop and Sun system
From:       "Subba Rao" <subb3 () ibm ! net>
Date:       1999-03-30 21:38:39
[Download RAW message or body]

Here is my case

Event
=====

We ran  Cybercop (Internet Audit tool) at the request of the client. We ran it \
against one segment. One of the systems is a SunOS system.

Issue
=====

The SunOS 5.6 system crashed. We did not do any DoS attacks. Standard port scanning, \
password guessing and FTP vulnerabilities etc. The client blammed it on the Cybercop \
tool. Having done this many times before, I did tell my client that I did not have \
this problem before. The Sun system had a DBMS system running (RedBrick).

My customer shows me his syslog and blames the time of system crash, on this line.

     Mar 24  17:21:24 sunny inetd[2098]: /opt/SUNWvts/bin/vtsk: Hangup

The system,  however, continued to log after 17:21:24.

The next days log has the following lines.

     Mar 25  07:36:13 sunny unix: WARNING: /tmp: File system full, swap space limit \
                exceeded
     Mar 24  07:36:59 sunny inetd[2098]: /opt/SUNWvts/bin/vtsk: Segmentation Fault - \
core dumped

The above messages repeat a few times with minor variations in the message text. And \
then the following line appears,

     Mar 25  07:36:13 sunny unix: NOTICE: /disktest_c3t17d0s4: bad dir ino 2 at \
offset 0: mangled

There are many such lines. I strongly believe that the "disktest" caused the system \
to crash.

Question
=======

What is the "vtsk" program? What does it do?


My client goes to the point of stating that Cybercop inserted a Cron job or a Trojan \
horse, which later caused the crash.

I would appreciate if someone could shed some light on this with some pointers. If \
you used Cybercop with SunOS system, I would like to hear your experiences too.

Thank you in advance.

Subba Rao
subb3@ibm.net
==============================================================
Disclaimer - I question and speak for myself.


[prev in list] [next in list] [prev in thread] [next in thread]