Mailinglist Archive: opensuse-security (191 mails)
| < Previous | Next > |
Re: [suse-security] Real bad log entry
- From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
- Date: Sat, 1 Apr 2000 11:42:44 +0200
- Message-id: <20000401114243.Z24822@xxxxxxxxxxxxx>
On Fri, Mar 31, 2000 at 16:22 -0800, Chrissy wrote:
> chrissy@rox:~ > /usr/sbin/named -v
> named 8.2.2-P3 Sun Nov 14 20:46:41 GMT 1999
IIRC "-P5" is out, you might find the appropriate discussions on
securityfocus.com and freebsd.org. But since I don't run any
_public_ DNS servers I really didn't care any further.
> While doing a portscan..i noticed a weird port.. 687 ..any
> clues?
When /etc/services doesn't reveal anything, you might want to
look at nmap's services file which is more comprehensive. You
can check out the links below.
http://www.robertgraham.com/pubs/firewall-seen.html
http://advice.networkice.com/advice/Exploits/Ports/
And always do something like "fuser -v -n tcp 687". You could
run login daemons on port 80 or mail servers on port 53 -- nobody
said a service had to "conform" to an /etc/services entry, these
are just hints or symbolic names for pure comfort.
> an rpm -Va showed nothing odd...
I'm not sure at the moment whether this would show any _added_
files. I guess it only checks for manipulation of initially
installed files (entered into the rpm database). And did you
check all the modifications not only for reasonability but for
their _full_ change against the initial state? You can expect to
have /etc/inittab look different from the installation time, but
did you look _what_ is the difference?
And while we're at this: which database did you check against?
There's no point in believing in ls(1), lsmod(8) or rpm(1) on a
broken system. Grab an unmodified version to check with (rescue
system from CD, frozen rpm database right after installation,
etc). Setup an IDS like tripwire which comes with most distros
these days.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
> chrissy@rox:~ > /usr/sbin/named -v
> named 8.2.2-P3 Sun Nov 14 20:46:41 GMT 1999
IIRC "-P5" is out, you might find the appropriate discussions on
securityfocus.com and freebsd.org. But since I don't run any
_public_ DNS servers I really didn't care any further.
> While doing a portscan..i noticed a weird port.. 687 ..any
> clues?
When /etc/services doesn't reveal anything, you might want to
look at nmap's services file which is more comprehensive. You
can check out the links below.
http://www.robertgraham.com/pubs/firewall-seen.html
http://advice.networkice.com/advice/Exploits/Ports/
And always do something like "fuser -v -n tcp 687". You could
run login daemons on port 80 or mail servers on port 53 -- nobody
said a service had to "conform" to an /etc/services entry, these
are just hints or symbolic names for pure comfort.
> an rpm -Va showed nothing odd...
I'm not sure at the moment whether this would show any _added_
files. I guess it only checks for manipulation of initially
installed files (entered into the rpm database). And did you
check all the modifications not only for reasonability but for
their _full_ change against the initial state? You can expect to
have /etc/inittab look different from the installation time, but
did you look _what_ is the difference?
And while we're at this: which database did you check against?
There's no point in believing in ls(1), lsmod(8) or rpm(1) on a
broken system. Grab an unmodified version to check with (rescue
system from CD, frozen rpm database right after installation,
etc). Setup an IDS like tripwire which comes with most distros
these days.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
| < Previous | Next > |