[SunRescue] FW: RE: http://www.cert.org/advisories/CA-2000-17.htmlandSolaris...

Mike Hebel druaga at pmail.net
Mon Aug 21 16:03:52 CDT 2000 

1) newbie != confused :-P  Well...not always anyway.

2) Here's the output from 'rpcinfo -p localhost':

   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100300    3   udp  32773  nisd
    100300    3   tcp  32772  nisd
    100303    1   tcp  32798  nispasswd
    100024    1   udp  32792  status
    100011    1   udp  32794  rquotad
    100002    2   udp  32795  rusersd
    100002    3   udp  32795  rusersd
    100002    2   tcp  32806  rusersd
    100002    3   tcp  32806  rusersd
    100012    1   udp  32796  sprayd
    100008    1   udp  32797  walld
    100001    2   udp  32798  rstatd
    100001    3   udp  32798  rstatd
    100001    4   udp  32798  rstatd
    100221    1   tcp  32807
    100068    2   udp  32799
    100068    3   udp  32799
    100068    4   udp  32799
    100068    5   udp  32799
    100229    1   tcp  32808  metad
    100230    1   tcp  32809  metamhd
    100235    1   tcp  32810
    100024    1   tcp  32805  status
    100083    1   tcp  32811
 536870916    1   udp  32800
    100021    1   udp   4045  nlockmgr
    100021    2   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    2   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr
    120100    1   tcp  32850
 874586400    1   udp    828
 874586400    1   tcp    829
 874783776    1   udp    865
 874783776    1   tcp    866
2004318071    1   udp    866
2004318071    1   tcp    867
    100005    1   udp  32842  mountd
    100005    2   udp  32842  mountd
    100005    3   udp  32842  mountd
    100005    1   tcp  32876  mountd
    100005    2   tcp  32876  mountd
    100005    3   tcp  32876  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100026    1   udp  32847  bootparam
    100026    1   tcp  32882  bootparam
    100243    1   udp  32866
    100243    1   tcp  32923
    150001    1   udp   1013  pcnfsd
    150001    2   udp   1013  pcnfsd
    150001    1   tcp   1014  pcnfsd
    150001    2   tcp   1014  pcnfsd
    100236    1   udp  32867
    100236    1   tcp  32924
    100236    2   udp  32867
    100236    2   tcp  32924
    300598    1   udp  32869
    300598    1   tcp  32925
 805306368    1   udp  32869
 805306368    1   tcp  32925
    100249    1   udp  32870
    100249    1   tcp  32926

My problem is that I'm too newbyish (newbish?) to know what to look for.
Oh, and BTW, the server is up to date on 2.6 patches as of last week.  I'll
be upgrading to 2.7 next week some time so I will patch more this weekend.
Then Solaris 8 some time later in the year.

I am running Solstice from a Classic being used as a remote X-Terminal.  I'm
only running Solstice because I don't know enough about NIS+ to properly
admin it.  (Working on it but can't seem to find a clear training path to
learn it - book, CBT, _or_ class.)

Regardless this is the first time I've had to deal with anything that looks
like a real attack.  The worst I've had over the years is SPAM on the mail
server.  Unix newbie, never had to really deal with good security until this
year, first attack - you can see why I'm a little nervous about this.

Quivering in fear,

Poor Confused Mike

-----Original Message-----
From: rescue-admin at sunhelp.org [mailto:rescue-admin at sunhelp.org]On
Behalf Of Jonathan Katz
Sent: Monday, August 21, 2000 3:37 PM
To: rescue at sunhelp.org
Subject: RE: [SunRescue] FW: RE:
http://www.cert.org/advisories/CA-2000-17.htmlandSolaris...


Poor, confused Mike wrote [ :^) ]

:> Also I have the following in my /var/adm/messages file for today:
:>
:> Aug 21 10:15:15 engsrv inetd[10827]: getpwnam: wait: No such user
:> Aug 21 10:15:15 engsrv inetd[331]: root: Hangup
:> Aug 21 10:15:15 engsrv inetd[10828]: getpwnam: wait: No such user
:> Aug 21 10:15:15 engsrv inetd[331]: root: Hangup
:> Aug 21 10:15:15 engsrv inetd[10829]: getpwnam: wait: No such user
:> Aug 21 10:15:15 engsrv inetd[331]: root: Hangup
:> Aug 21 10:15:15 engsrv inetd[331]: 100232/rpc/udp server failing
:> (looping), service terminate

Well... what's listed at port 100232 in your /etc/inetd.conf. My handy
2.6 box shows:

100232/10       tli     rpc/udp wait root /usr/sbin/sadmind     sadmind

Which is known to be exploitable. It's your remote Solaris admin stuff.
It should be turned off unless you're using Solctice Admin.

Does 'rpcinfo -p localhost' show anything neato?

Take care!

-Jon
--
Jonathan Katz
e-mail: jon at jonworld.com
website: http://jonworld.com
proprietor: http://bachelor-cooking.com
Cell: 317-698-4023 * Pager: 800-759-8888 1770869 * FAX: 530-688-5347

_______________________________________________
Rescue maillist  -  Rescue at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/rescue

More information about the rescue mailing list