[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Security Problems

Subject: RE: [cobalt-users] Security Problems
From: "DJ Busch" <webmaster@xxxxxxxxxxxxx>
Date: Sat Jun 30 10:11:01 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Thanks for the suggestion!  I installed nmap and ran it with the commandline
"nmap -p 1-65535 216.219.239.8" and it returned the following:

  Starting nmap V. 2.53 by fyodor@xxxxxxxxxxxx ( www.insecure.org/nmap/ )
  Interesting ports on  (216.219.239.8):
  (The 65532 ports scanned but not shown below are in state: closed)
  Port       State       Service
  22/tcp     open        ssh
  53/tcp     open        domain
  1501/tcp   open        sas-3

  Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds

These ports aren't included in the list shimi gave.  Can I just go into the
services file and remove them?  What can I do to shut these off and what
happens if none of these ports is the problem?

DJ Busch

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of shimi
Sent: Saturday, June 30, 2001 2:14 PM
To: Cobalt List
Subject: Re: [cobalt-users] Security Problems

On Sat, 30 Jun 2001, DJ Busch wrote:

> I have recently begun receiving e-mails regarding scans apparently
> originating from my system.  I'm being told that my server
(216.219.239.87)
> is conducting port scans on other computers, but I can't figure out why.
>
> I'm not sure which log to look into or what to look for to find proof that
> someone is using my RAQ as a gateway or spoofing my IP address.  There
must
> be a way I can detect this and bring it to a swift end, as I'm at my wits
> end trying to figure it out.
>

spoofing? no... you can spoof the source of data, but you can't *scan* or
*connect* to machines with that, for a simple reason - the target is
returned answers to the spoofed address and not to you...

I would run a portscan on your machine, using nmap
(http://freshmeat.net/projects/nmap) (on a *nix box)

(run a full scan, from port 1 to 65535)
and see what's open:

you should have, on normal configuration, only:

21 - ftp
23 - telnet
25 - smtp (sendmail transport agent)
80 - webserver
81 - admin server
110 - pop3 (mail recieving)
143 - imap (Interim Mail Access Protocol)
443 - webserver SSL access
444 - admin server (although nobody still figured why it uses that port)

that's all, i think

also try chkrootkit:
http://www.chkrootkit.org/

there are more, which I don't recall.
search for "/bin/sh" in /etc/inetd.conf

and search the mailing list archives.... (look at the signature of this
email)

> Any help would be GREATLY appreciated in this matter, and the faster the
> better.
>
that's a start :)
>
> DJ Busch
> webmaster@xxxxxxxxxxxxx
>
- shimi.

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- RE: [cobalt-users] Security Problems
  - From: Gerald Young
- RE: [cobalt-users] Security Problems
  - From: shimi

References:
- Re: [cobalt-users] Security Problems
  - From: shimi

Prev by Date: RE: [cobalt-users] number of virtual domain
Next by Date: RE: [cobalt-users] Security Problems
Previous by thread: Re: [cobalt-users] Security Problems
Next by thread: RE: [cobalt-users] Security Problems

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index