[osol-code] Trojan/malware in Solaris resolver library?

Wed, 25 Nov 2009 05:07:14 -0800

Hello Solaris developers, I need help with diagnosing possible malware, which seems to be originating from Solaris shared library.
The problem occurs when I submit a URL that doesn't exist. Instead of returning an error, it seems Solaris resolver returns IP addresses of webserver which redirect HTTP requests to web pages filled with Google adds, etc. So, somebody is making money form all these redirects. 


What's worse, is that quite frequently legitimate URL names, are mapped to  
these bogus IP addreses, blocking me from accessing the legitimate web  
site for a period of 5 to 30 minutes.



Originally I thought it was my ISP that was redirecting customer traffic,  
however this problem does not occur on other machines on the same network,  
which have identical DNS settings to the Solaris box.




This is what happens when I try to connect to non-existent domain from  
NetBSD box:


p3smp$ uname -rs
NetBSD 5.0.1
p3smp$ /usr/bin/telnet www.nowaynosuchhost.com 80
www.nowaynosuchhost.com: No address associated with hostname


And this is what happens when I try the same on Solaris box:

r...@ultra10 uname -a
SunOS ultra10 5.10 Generic_139555-08 sun4u sparc SUNW,Ultra-5_10

r...@ultra10 /usr/bin/telnet www.nowaynosuchhost.com 80
Trying 97.107.142.101...
Connected to www.nowaynosuchhost.com.net.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.nowaynosuchhost.com

HTTP/1.1 302 Found
Date: Wed, 25 Nov 2009 12:46:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: count=1; expires=Wed, 25-Nov-2009 20:46:26 GMT
Set-Cookie: lat=1259153186
Location: http://search.infoweb.net/?mysearch=nowaynosuchhost
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Connection to www.nowaynosuchhost.com.net closed by foreign host.



Now, as far as I remember, I downloaded this version of Solaris from Sun's  
official website. I don't know if it came with the malware, or if some  
other programs I installed on this Solaris machine (OpenOffice, Opera web  
browser, Acrobat reader and a few others), have installed the malware.



Could the developers who know how the resolver libraries function help me  
track and disable the malware. Maybe someone knows a good DTrace script to  
show what's going on inside function calls?


Thank you very much.
_______________________________________________
opensolaris-code mailing list
opensolaris-code@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code






















					Reply via email to