Re: ?hack cause?

• Previous message: Andy Gabor: "?hack cause?"
• In reply to: Andy Gabor: "?hack cause?"
• Next in thread: olear mark g: "Re: ?hack cause?"
• Next in thread: Mike P: "Re: ?hack cause?"
• Reply: olear mark g: "Re: ?hack cause?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 26 Mar 2002 11:42:54 -0500
To: focus-sun@securityfocus.com
From: Ailean Mhorgainn <ailean@ceadmilefailte.org>

At 11:30 AM 3/25/2002 -0800, you wrote:

>Hi, I think I got hacked but not sure how.
>
>Env: Sol8 (all security patches installed - I think), Ultra 10
>
>Log:
>Mar 23 08:12:39 nova inetd[160]: [ID 858011 daemon.warning]
>/usr/dt/bin/rpc.cmsd: Killed
>Mar 23 08:12:44 nova inetd[160]: [ID 858011 daemon.warning]
>/usr/dt/bin/rpc.ttdbserverd: Killed

Looks like the below was someone trying to start inetd while the old inetd
was running...

>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] ftp/tcp: bind:
>Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] telnet/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] uucp/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] time/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] echo/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] discard/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] daytime/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] chargen/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] fs/tcp: bind:
>Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] printer/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] dtspc/tcp:
>bind: Address already in use
>Mar 23 08:12:56 nova inetd[16315]: [ID 161378 daemon.error] pop3/tcp:
>bind: Address already in use
>
>
>Effect:
>1. lost /usr/dt/bin/rpc.cmsd
>2. new files /usr/bin/login /usr/bin/.login.
>
>Checked sunsolve for cmsd alerts - none.
>
>Any insights appreciated.
>
>Andy
>
>=====================================================================
>Andy Gabor - Department of Neurology, University of California, Davis
>ajgabor@ucdavis.edu (530)754-5036 (FAX)

Check your /etc/inetd.conf for any "new" lines... double check things that
look ok but you're not 100% on.

Who owns these login files, and what do they have for permissions?

--Ailean
Sun Microsystems Certified Solaris Administrator (2.6)

• Previous message: Andy Gabor: "?hack cause?"
• In reply to: Andy Gabor: "?hack cause?"
• Next in thread: olear mark g: "Re: ?hack cause?"
• Next in thread: Mike P: "Re: ?hack cause?"
• Reply: olear mark g: "Re: ?hack cause?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: message appears at prompt ... I don't know if that is what 'bind' is in this context. ... > be the conflict? ... What is happening is that the 2nd copy of sshd enabled in inetd ... Rob ... (freebsd-questions) Re: I got slackware need some help. ... If you don't know wether you want it or not though - bind it to localhost. ... And don't forget to have `inetd' reread it's config-file, ... (alt.os.linux) Re: What are the steps for converting a C executbale into a service ... star wrote: ... Did you restart the system or inetd, ... If you're being run from inetd, you should not call bind(). ... (comp.unix.programmer) [SLE] inetd and ftp ... bind the ftp service to only one IP but I can't find ... the option to do this with inetd. ... to bind the service to a specific IP. ... Do you Yahoo!? ... (SuSE)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint