[SunHELP] Problem with Inetd

Phil Stracchino alaric at caerllewys.net
Fri Apr 2 20:35:44 CST 2004


On Fri, Apr 02, 2004 at 12:58:51PM +0530, Charu Kamath wrote:
> Thanks Phil.
> >From what i infer is that i either need to install a patch which is
> (Patch-ID# 106934-04
> Keywords: security characters locales Buffer Overflow subprocess
> Synopsis: CDE 1.3: libDtSvc Patch)

That patch will fix the dtspcd vulnerability.  It will not undo whatever
damage your intruder did to your machine, nor will it secure the machine
against any further intrusions, nor will it remove any rootkit your
intruder may have installed.


> OR re-install the OS.
> I choose the former once since re-installing would be again a pain that too
> when the time is so less..
> the patch Patch-ID# 106934-04 is correct or do ineed to get something else?
> How do in find out the CDE version of my Sun machine?
> Pls pardon if my questions sound silly.. :o)
> 
> regards Charu
> 
> 
> -----Original Message-----
> From: sunhelp-bounces at sunhelp.org [mailto:sunhelp-bounces at sunhelp.org]On
> Behalf Of Phil Stracchino
> Sent: Friday, April 02, 2004 11:57 AM
> To: The SunHELP List
> Subject: Re: [SunHELP] Problem with Inetd
> If you weren't running dtspcd before, starting it now isn't going to
> make life any better.  In particular, if you were getting along without
> it before, there's no reason to start it now, and in particular, doing
> so without first making sure the vulnerability in CERT CA-2001-31
> (Buffer Overflow in CDE Subprocess Control Service) is patched would not
> be the brightest thing you could possibly do at this point.
> 
> I reiterate: Services on the machine which only root should be able to
> affect are not operating as they should.  Logging from the machine,
> which only root should be able to disable, is not working.  You have no
> logs of the intrusion attempt beyond the apparently-failed dtspcd
> exploit attempt.  You do not know that the attacker did not achieve
> root.  You do not know that the machine is not compromised (in fact,
> the evidence rather suggests that it is).  You know that the connection
> came from one of your own machines, and you do not know that machine is
> not also compromised.  Assuming logs on the machine a.b.c.d above are
> intact, they should show you who was logged in at that time and from
> where, and you should be able to determine who had access to that
> machine at that time.  If they're not intact, you should assume that
> machine has been compromised.
> 
> You have two possible situations here:  (1) someone in your organization
> is breaking into your own machines, for possibly nefarious purposes, and
> is leaving them in conditions in which they are not performing their
> intended function.  Or (2) someone outside your organization has
> compromised at least one machine, possibly multiple machines, at your
> organization and is using them to attack and compromise other machines
> at your organization (and possibly elsewhere).
> 
> Either way, you have a serious problem that you cannot fix by just
> restarting the services and covering up the damage.  You need to
> ascertain which machines have been compromised, you need to isolate
> them, you need to replace all suspect binaries (or preferably just
> reinstall the systems), and you need to secure them properly so it
> doesn't happen again.  Starting dtspcd, or restarting syslogd, is not
> going to achieve any of these things.
> 
> 
> 
> --
>  .*********  Fight Back!  It may not be just YOUR life at risk.  *********.
>  : phil stracchino : unix ronin : renaissance man : mystic zen biker geek :
>  :  alaric at caerllewys.net|phil-stracchino at earthlink.net|phil at novylen.net  :
>  :   2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold)   :
>  :    Linux Now!   ...Because friends don't let friends use Microsoft.    :
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
> 
> 
> !DSPAM:406e1f1684011566549419!
> 
> 

-- 
 .*********  Fight Back!  It may not be just YOUR life at risk.  *********.
 : phil stracchino : unix ronin : renaissance man : mystic zen biker geek :
 :  alaric at caerllewys.net|phil-stracchino at earthlink.net|phil at novylen.net  :
 :   2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold)   :
 :    Linux Now!   ...Because friends don't let friends use Microsoft.    :



More information about the SunHELP mailing list