[SunRescue] FW: RE: http://www.cert.org/advisories/CA-2000-17.htmlandSolaris...
Mike Hebel
druaga at pmail.net
Mon Aug 21 17:36:31 CDT 2000
I'm going to just try rebooting for starters but there's some odd things
(from my viewpoint) in rpcinfo:
program version netid address service owner
[snip]
536870916 1 udp 0.0.0.0.128.32 - superuser
[snip]
874586400 1 udp 0.0.0.0.3.60 - superuser
874586400 1 tcp 0.0.0.0.3.61 - superuser
874783776 1 udp 0.0.0.0.3.97 - superuser
874783776 1 tcp 0.0.0.0.3.98 - superuser
2004318071 1 udp 0.0.0.0.3.98 - superuser
2004318071 1 tcp 0.0.0.0.3.99 - superuser
[snip]
805306368 1 udp 0.0.0.0.128.101 - superuser
805306368 1 tcp 0.0.0.0.128.157 - superuser
805306368 1 ticlts \000\000\021= - superuser
805306368 1 ticotsord \000\000\021@ - superuser
805306368 1 ticots \000\000\021C - superuser
All the rest of the rpc processes in this list have numbers like 100024 and
such so these really stand out.
How do I turn those rpc things off - just remove them from the /etc/rpc and
inetd.conf files?
Thanks for all the help everybody BTW! I really appreciate it.
Mike Hebel
-----Original Message-----
From: rescue-admin at sunhelp.org [mailto:rescue-admin at sunhelp.org]On
Behalf Of Jonathan Katz
Sent: Monday, August 21, 2000 5:08 PM
To: rescue at sunhelp.org
Subject: RE: [SunRescue] FW: RE:
http://www.cert.org/advisories/CA-2000-17.htmlandSolaris...
Mike wrote:
:1) newbie != confused :-P Well...not always anyway.
I know, I'm just dishing it out ;^)
:2) Here's the output from 'rpcinfo -p localhost':
[ truncated ]
Since you're doing NIS+ stuff and NFS stuff (I'm assuming) plus
DiskSuite stuff you need to leave RPC on.
: 100011 1 udp 32794 rquotad
Are you using quotas? You can turn that off...
: 100002 2 udp 32795 rusersd
: 100002 3 udp 32795 rusersd
: 100002 2 tcp 32806 rusersd
: 100002 3 tcp 32806 rusersd
: 100012 1 udp 32796 sprayd
: 100008 1 udp 32797 walld
You can turn all that stuff, off, too. Do you want people duiong
'rusers' on your network and running 'wall'
: 150001 1 udp 1013 pcnfsd
: 150001 2 udp 1013 pcnfsd
: 150001 1 tcp 1014 pcnfsd
: 150001 2 tcp 1014 pcnfsd
pcnfsd isn't really needed, is it? (Are you running pcnfs?)
:My problem is that I'm too newbyish (newbish?) to know what to look for.
Don't sweat it. My theory is "if it looks like it is wasting CPUs, why
am I running it?"
:Oh, and BTW, the server is up to date on 2.6 patches as of last week. I'll
:be upgrading to 2.7 next week some time so I will patch more this weekend.
:Then Solaris 8 some time later in the year.
Yahoo!
:I am running Solstice from a Classic being used as a remote X-Terminal.
I'm
:only running Solstice because I don't know enough about NIS+ to properly
:admin it. (Working on it but can't seem to find a clear training path to
:learn it - book, CBT, _or_ class.)
Ahh, understood. I wish I had some of my ancient perl scripts to help you,
unfortunately I don't have them anymore.
:Regardless this is the first time I've had to deal with anything that looks
:like a real attack. The worst I've had over the years is SPAM on the mail
:server. Unix newbie, never had to really deal with good security until
this
:year, first attack - you can see why I'm a little nervous about this.
It may just be Solactice acting buggy. Did you reboot or have troubles w/
your Classic?
:Poor Confused Mike
Awwwww!
-Jon
--
Jonathan Katz
e-mail: jon at jonworld.com
website: http://jonworld.com
proprietor: http://bachelor-cooking.com
Cell: 317-698-4023 * Pager: 800-759-8888 1770869 * FAX: 530-688-5347
_______________________________________________
Rescue maillist - Rescue at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/rescue
More information about the rescue
mailing list