[SunRescue] FW: RE: http://www.cert.org/advisories/CA-2000-17.htmlandSolaris...

Mike Hebel druaga at pmail.net
Mon Aug 21 17:36:31 CDT 2000


I'm going to just try rebooting for starters but there's some odd things
(from my viewpoint) in rpcinfo:

   program version netid     address             service    owner
 [snip]
 536870916    1    udp       0.0.0.0.128.32      -          superuser

 [snip]
 874586400    1    udp       0.0.0.0.3.60        -          superuser
 874586400    1    tcp       0.0.0.0.3.61        -          superuser
 874783776    1    udp       0.0.0.0.3.97        -          superuser
 874783776    1    tcp       0.0.0.0.3.98        -          superuser
2004318071    1    udp       0.0.0.0.3.98        -          superuser
2004318071    1    tcp       0.0.0.0.3.99        -          superuser

[snip]
 805306368    1    udp       0.0.0.0.128.101     -          superuser
 805306368    1    tcp       0.0.0.0.128.157     -          superuser
 805306368    1    ticlts    \000\000\021=       -          superuser
 805306368    1    ticotsord \000\000\021@       -          superuser
 805306368    1    ticots    \000\000\021C       -          superuser

All the rest of the rpc processes in this list have numbers like 100024 and
such so these really stand out.

How do I turn those rpc things off - just remove them from the /etc/rpc and
inetd.conf files?

Thanks for all the help everybody BTW!  I really appreciate it.

Mike Hebel

-----Original Message-----
From: rescue-admin at sunhelp.org [mailto:rescue-admin at sunhelp.org]On
Behalf Of Jonathan Katz
Sent: Monday, August 21, 2000 5:08 PM
To: rescue at sunhelp.org
Subject: RE: [SunRescue] FW: RE:
http://www.cert.org/advisories/CA-2000-17.htmlandSolaris...


Mike wrote:

:1) newbie != confused :-P  Well...not always anyway.

I know, I'm just dishing it out ;^)

:2) Here's the output from 'rpcinfo -p localhost':

[ truncated ]

Since you're doing NIS+ stuff and NFS stuff (I'm assuming) plus
DiskSuite stuff you need to leave RPC on.

:    100011    1   udp  32794  rquotad

Are you using quotas? You can turn that off...

:    100002    2   udp  32795  rusersd
:    100002    3   udp  32795  rusersd
:    100002    2   tcp  32806  rusersd
:    100002    3   tcp  32806  rusersd
:    100012    1   udp  32796  sprayd
:    100008    1   udp  32797  walld

You can turn all that stuff, off, too. Do you want people duiong
'rusers' on your network and running 'wall'

:    150001    1   udp   1013  pcnfsd
:    150001    2   udp   1013  pcnfsd
:    150001    1   tcp   1014  pcnfsd
:    150001    2   tcp   1014  pcnfsd

pcnfsd isn't really needed, is it? (Are you running pcnfs?)

:My problem is that I'm too newbyish (newbish?) to know what to look for.

Don't sweat it. My theory is "if it looks like it is wasting CPUs, why
am I running it?"

:Oh, and BTW, the server is up to date on 2.6 patches as of last week.  I'll
:be upgrading to 2.7 next week some time so I will patch more this weekend.
:Then Solaris 8 some time later in the year.

Yahoo!

:I am running Solstice from a Classic being used as a remote X-Terminal.
I'm
:only running Solstice because I don't know enough about NIS+ to properly
:admin it.  (Working on it but can't seem to find a clear training path to
:learn it - book, CBT, _or_ class.)

Ahh, understood. I wish I had some of my ancient perl scripts to help you,
unfortunately I don't have them anymore.

:Regardless this is the first time I've had to deal with anything that looks
:like a real attack.  The worst I've had over the years is SPAM on the mail
:server.  Unix newbie, never had to really deal with good security until
this
:year, first attack - you can see why I'm a little nervous about this.

It may just be Solactice acting buggy. Did you reboot or have troubles w/
your Classic?

:Poor Confused Mike

Awwwww!

-Jon
--
Jonathan Katz
e-mail: jon at jonworld.com
website: http://jonworld.com
proprietor: http://bachelor-cooking.com
Cell: 317-698-4023 * Pager: 800-759-8888 1770869 * FAX: 530-688-5347

_______________________________________________
Rescue maillist  -  Rescue at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/rescue






More information about the rescue mailing list