[SunHELP] Problem with Inetd
Phil Stracchino
alaric at caerllewys.net
Thu Apr 1 23:41:26 CST 2004
On Fri, Apr 02, 2004 at 10:55:06AM +0530, Charu Kamath wrote:
> SunUltra5 - LogsSun Ultra5 SPARC (solaris5.7)
> I noticed the following logs on 28march, somebody tried to enter the box and
> since could not get the Super user he could not harm the system much.
> However the last line that you see alarms a problem.Since then, the machine
> has not logged any messages into my system.
>
> The machine is running DNS application and is a secondary server,due to this
> activity I am unable to fetch any data from the primary name servers.Also not
> getting any error messages.
>
> Can anyone figure what exactly could be the problem??
>
>
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: cnt=5
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=1
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=139
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=28330
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=28332
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: search pid=28349
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: 28349
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: 0
> Mar 28 11:34:11 dnsblr.estel.net.in last message repeated 1 time
> Mar 28 11:34:11 dnsblr.estel.net.in unix: NOTICE: Get Su: not found
> Mar 28 11:34:53 dnsblr.estel.net.in inetd[139]: dtspc/tcp: unknown service
http://www.nacs.uci.edu/security/archive/msg00293.html
Since the dtspc service was not found, it can be presumed this
particular attack didn't succeed. However, indications are the next one
possibly did. How do you KNOW the intruder was unable to gain root,
particularly if it's no longer logging anything?
Prudence suggests that you should consider this machine compromised and
act accordingly.
--
.********* Fight Back! It may not be just YOUR life at risk. *********.
: phil stracchino : unix ronin : renaissance man : mystic zen biker geek :
: alaric at caerllewys.net|phil-stracchino at earthlink.net|phil at novylen.net :
: 2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold) :
: Linux Now! ...Because friends don't let friends use Microsoft. :
More information about the SunHELP
mailing list