[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
- Subject: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
- From: "Loryan Strant" <cobalt-emails@xxxxxxxxxx>
- Date: Wed Apr 18 10:48:46 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Heya,
I ran "nscd --help", and the following came up:
[root loryans]# /usr/sbin/nscd --help
/usr/sbin/nscd: illegal option -- -
sshd version 1.2.27 [i686-unknown-linux]
Usage: nscd [options]
Options:
-f file Configuration file (default /usr/info/.t0rn/sshd_config)
-d Debugging mode
-i Started from inetd
-q Quiet (no logging)
-p port Listen on the specified port (default: 22)
-k seconds Regenerate server key every this many seconds (default: 3600)
-g seconds Grace period for authentication (default: 300)
-b bits Size of server RSA key (default: 768 bits)
-h file File from which to read host key (default:
/usr/info/.t0rn/shhk)
-V str Remote version string already read from the socket
Definitely the t0rn rootkit. Time to clean it out. :-(
Thanks to everyone for their help!
Loryan
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of shimi
Sent: Wednesday, 18 April 2001 7:30 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Cc: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
On Tue, 17 Apr 2001, Loryan Strant wrote:
> I've found that "/usr/sbin/nscd" is the responsible program for that port
> being open. I don't know what that program is, as it is not found on our
> backup RaQ4 server (which mind you has a lot less updates and programs
> installed).
> I know that my server is now untrustworthy, but would it be a good idea to
> rename/delete this file in the meantime?
>
> Thanks,
>
> Loryan
>
Uhm...
[shimi@shimi shimi]$ /usr/sbin/nscd --help
Usage: nscd [OPTION...]
Name Service Cache Daemon.
Name Service Cache Daemon it says, and it's a legit application, which
exists on my RedHat box at home on the LAN. The config file is located
/etc/nscd.conf and the program loads on boot from /etc/rc.d/init.d/nscd
Yet I fail to see why you're getting a shell prompt from it.
What I can even tell you is, that once luanched, that program changes it's
uid to a special uid and same for group (again, on my redhat), and that as
far as I can see, this program doesn't listen at ANY PORT, not tcp, not
udp. Instead, it uses a UNIX socket. If you don't know what that is, uhm,
I can't really explain, but it's something like a "file" inside the
filesystem which the communication between the application and the
"daemon" goes through. MySQL for instance has that (the file is named
mysql.sock) and you can make him not listen for TCP at all, which is far
more secure that way.
Here is the stuff I found after running nscd:
[root@shimi shimi]# ps aux | grep nscd
nscd 21483 0.0 0.4 12112 1040 ? S 23:14 0:00
/usr/sbin/nscd
nscd 21484 0.0 0.4 12112 1040 ? S 23:14 0:00
/usr/sbin/nscd
nscd 21485 0.0 0.4 12112 1040 ? S 23:14 0:00
/usr/sbin/nscd
nscd 21486 0.0 0.4 12112 1040 ? S 23:14 0:00
/usr/sbin/nscd
nscd 21487 0.0 0.4 12112 1040 ? S 23:14 0:00
/usr/sbin/nscd
nscd 21488 0.0 0.4 12112 1040 ? S 23:14 0:00
/usr/sbin/nscd
nscd 21489 0.0 0.4 12112 1040 ? S 23:14 0:00
/usr/sbin/nscd
[root@shimi shimi]# netstat -pl | grep nscd
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
unix 0 [ ACC ] STREAM LISTENING 94652 21483/nscd
/var/run/.nscd_socket
B. Regards,
- shimi.
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users