Re: some weird stuff found
From: Marc Rogers (marcr@shady.org)
Date: 09/06/01
- Next message: Fernan Aguero: "Re: some weird stuff found"
- Previous message: Tim Zingelman: "Re: some weird stuff found"
- In reply to: Chris Faulhaber: "Re: some weird stuff found"
- Next in thread: Rob Simmons: "Re: some weird stuff found"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Sep 2001 16:18:41 +0100 From: Marc Rogers <marcr@shady.org> To: Chris Faulhaber <jedgar@fxp.org>
>
> Probably a Linux or Solaris rpc attack/exploit. Doesn't affect
> FreeBSD machines (except for annoying log entries).
I would take this as a warning however. It is a sure sign of someone
attempting (in a rather clumsy and inaccurate way typical of most kiddies)
to break into your hosts. Mos kids these days use a scattergun approach to
hacking and justf ire off as many exploits as possible till one gets a result.
I swear half of them dont even know which way to pint them.
You should probably take steps to block access to your network from the ip ranges
these attacks are originating from.
You might want to think about installing snort.
>
> > 3 - If I run 'nmap -v localhost' I can see a few ports open
> *snip*
> > What services run on 1020 and 1021? I am not aware of having enabled
> > those, and they do not appear in /etc/services.
> >
>
> Run sockstat (or lsof, etc) to see what is bound to those ports.
run lsof, but just to be safe, I would download it as a clean install file
from a trusted location (ftp.freebsd.org for example) and compile it just
before you plan to use it. This is the safest way to ensure you are seeing
a true representation of what is running on your system.
Look for those ports you are unsure about, and see which open files are linked
in to them. This will show you which binary was responsible for opening that socket.
If in doubt, kill off the process, and chmod the binary to prevent useage.
>
> > And relating to this, do i need sendmail listening on 25 and 587 if
> > I only need to send mail to a smart host?
>
> You can probably just use -q30m for sendmail flags if you are not
> accepting email which will not opening listening sockets.
I would advise against running sendmail period. There are many better and
more secure alternatives these days (personaly I like postfix or qmail).
You certainly do not need to be running sendmail as a daemon.
Killall -9 sendmail will releive you of that particular worry.
(dont forget to edit your rc.conf, adding sendmail_enable="NO" to prevent it
being restarted at boot time.
>
> > Also: I need to print to a network printer but I'm not a print server.
> > Do I need 515 open?
>
> Nope. See the lpd(8) man page (-p option).
>
> > How do I close those ports (25,587,515)?
>
> First see what programs are bound to those ports (see above).
> 25 == telnetd (run from inetd)
errm 23 is usualy telnetd. 25 is the external port of sendmail. See my comments
on sendmail, above.
as mentioned before, use lsof and netstat (careful with what netstat says tho as it
is easily compromised and might be lying) to diagnose whats running and decide if you
need those services.
I would seriously consider to adding a local firewall to your host though, especialy
as you are running an x server. Good security should be like an onion, layered.
hope this helps,
Marc Rogers
Technical Director
European Data Corporation
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Fernan Aguero: "Re: some weird stuff found"
- Previous message: Tim Zingelman: "Re: some weird stuff found"
- In reply to: Chris Faulhaber: "Re: some weird stuff found"
- Next in thread: Rob Simmons: "Re: some weird stuff found"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
