[SunHELP] Problem with Inetd

Charu Kamath charu.bhargava at estelcom.com
Fri Apr 2 00:00:49 CST 2004


Thanks for replying.
The intruder is form our own organisation, though he used a common username
hence could not trace the real culprit.I have the logs for the same.
Mar 28 11:30:09 dnsblr.estel.net.in in.telnetd[28330]: connect from a.b.c.d
blr       pts/3        a.b.c.d   Sun Mar 28 11:30 - 11:35  (00:05)

So u see just when he logged out from my machine.The logs have come to a
halt.
I already have TCP wrappers in place.And unfortunately have to permit access
to a.b.c.d which is the primary server.

can i just add an entry manually in my /etc/services file for dtspc. I
already have thestatement for dtspc daemon in /etc/inetd.conf

can you please help with this?
Thannks Charu


-----Original Message-----
From: sunhelp-bounces at sunhelp.org [mailto:sunhelp-bounces at sunhelp.org]On
Behalf Of Phil Stracchino
Sent: Friday, April 02, 2004 11:11 AM
To: SUNHelp
Subject: Re: [SunHELP] Problem with Inetd


On Fri, Apr 02, 2004 at 10:55:06AM +0530, Charu Kamath wrote:
> SunUltra5 - LogsSun Ultra5 SPARC (solaris5.7)
> I noticed the following logs on 28march, somebody tried to enter the box
and
> since could not get the Super user he could not harm the system much.
> However the last line that you see alarms a problem.Since then, the
machine
> has not logged any messages into my system.
>
> The machine is running DNS application and is a secondary server,due to
this
> activity I am unable to fetch any data from the primary name servers.Also
not
> getting any error messages.
>
> Can anyone figure what exactly could be the problem??
>
>
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: cnt=5
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=1
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=139
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=28330
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=28332
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=28349
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: 28349
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: 0
> Mar 28 11:34:11 dnsblr.estel.net.in last message repeated 1 time
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: not found
> Mar 28 11:34:53 dnsblr.estel.net.in inetd[139]: dtspc/tcp: unknown service


http://www.nacs.uci.edu/security/archive/msg00293.html

Since the dtspc service was not found, it can be presumed this
particular attack didn't succeed.  However, indications are the next one
possibly did.  How do you KNOW the intruder was unable to gain root,
particularly if it's no longer logging anything?

Prudence suggests that you should consider this machine compromised and
act accordingly.


--
 .*********  Fight Back!  It may not be just YOUR life at risk.  *********.
 : phil stracchino : unix ronin : renaissance man : mystic zen biker geek :
 :  alaric at caerllewys.net|phil-stracchino at earthlink.net|phil at novylen.net  :
 :   2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold)   :
 :    Linux Now!   ...Because friends don't let friends use Microsoft.    :
_______________________________________________
SunHELP maillist  -  SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp



More information about the SunHELP mailing list