[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Active System Attack Query

Subject: Re: [cobalt-users] Active System Attack Query
From: "Gilles Dumangin" <gilles_dumangin@xxxxxxxxxxx>
Date: Tue Mar 13 15:07:29 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I have run these commandes as explained on the Certs document. Most of itseems fine, but some of them (that I have included below) seem dodgy. Couldyou tell me if I shoudl worry about these or not? If I should, what would bethe steps not to recover from this point?


[root@raq3 admin]# find / -user root -perm -4000 -print
find: /proc/6/fd: Permission denied
find: /proc/24983/fd/4: No such file or directory

[root@raq3 admin]# find / -group kmem -perm -2000 -print
find: /proc/6/fd: Permission denied
find: /proc/25138/fd/4: No such file or directory
find: /proc/25139: No such file or directory
find: /proc/25141/fd: Permission denied

[root@raq3 admin]# find / -name ".*" -print -xdev | cat -v
/nsr/cores/nsrexecd/.nsr
/etc/cobalt/.meta.id
/etc/.pwd.lock
/etc/skel/.ftphelp
/usr/doc/pam-0.68/html/.cvsignore
/usr/doc/pam-0.68/ps/.cvsignore
/usr/doc/pam-0.68/txts/.cvsignore
/usr/doc/bind-8.2.3/bog/.cvsignore
/usr/games/.doug

Gilles

From: "Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>
Reply-To: cobalt-users@xxxxxxxxxxxxxxx
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-users] Active System Attack Query
Date: Tue, 13 Mar 2001 15:47:59 -0000

> Same here, I get about 2-10 scans a day on port 111. I'd appreciate to
know
> why. It comes from Brazil, Argentina, France and other places

Simple use of google.com reveals that port 111 is scanned to exploit
potential RPC vulnerabilities on your server:

Here is some useful information gleaned from that simple search:

   [+] BACKGROUND INFORMATION ON PORT 111 (PORTMAP)
   [+]
   [+] A scan for portmappers (port 111 TCP/UDP) is most likely done in
order
   [+] to exploit one or several of the known exploits for RPC services
   [+] (rpc.statd, sadmind, etc). Such exploits give the intruder root
   [+] access to the compromised ("cracked") host.
   [+]
   [+] For the moment being, one of the most likely reasons for portmapper
   [+] scanning is in preparation for exploiting rpc.statd on Linux boxes.
See:
   [+]
   [+] http://www.cert.org/advisories/CA-2000-17.html
   [+]
   [+] If a host on your network is used to scan for portmappers , it most

[+] likely means that the host is compromised ("cracked") by somebody,or[+] that a local user is stupid enough to run a vulnerability scanneron

   [+] his own host. In either case, you should investigate.

So we're basically talking real hacking attempts to use recent exploits
found in rpc.statd and rpc.mountd to name but two.

Regards,
Jonathan Michaelson

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Follow-Ups:
- RE: [cobalt-users] Active System Attack Query
  - From: Rodolfo Paiz

Prev by Date: [cobalt-users] Active System Attack Query
Next by Date: RE: [cobalt-users] anonymous ftp setup
Previous by thread: [cobalt-users] Active System Attack Query
Next by thread: RE: [cobalt-users] Active System Attack Query

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index