[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] finger on/off?

Subject: Re: [cobalt-security] finger on/off?
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
Date: Tue, 26 Sep 2000 18:36:13 +0100 (BST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Well, if you have killall -HUP inetd'ed (as suggested) and "finger" is
still listening, you need to find out what actually is listening (hint: it
probably isn't finger).

su to root.  Do something similar to:

COMMAND: fuser -n tcp 79
OUTPUT: 79/tcp:  21977
        ^^ port  ^^ process id

The above command will tell you what process id (pid) is listening on the
port (79, finger).

Now do:

COMMAND: ps aux | grep 21977
OUTPUT:
root     21977  0.0  0.2  4368  380 ?        S    Sep20   0:01 /usr/bin/perl
root      8873  0.0  0.3  1164  456 pts/30   S    18:26   0:00 grep 21977       

Changing the PID to the one displayed in the previous 'fuser' ouput.  
It'll tell you the process name.

In my example, I have a perl program listening on finger's port.  Once
you've got the PID you can kill it until the next reboot with 'kill PID'.

Hopefully some of this will make sense :)
Gossi


> > Merci for responding.  I guess my root question
is: > 
> >is< finger turned on by default with a new RaQ3, or >not?<.
> 
> When I did this:
> 
>     ps aux | fgrep finger
> 
> it only revealed this:
> 
>     root     17110  0.0  0.0  1160  408 pts/2    S    13:45   0:00 fgrep
> finger
> 
> and when I did this:
> 
>     fgrep finger /etc/services
> 
> I got this:
> 
>     finger          79/tcp
>     cfinger         2003/tcp                        # GNU Finger
> 
> The later output would make me worried that finger is indeed on?  It
> also reveals another question... what is this "GNU finger" ...?!
> 
> Merci encore une fois,
> 
> ~ Theo
> 
> 
> 
> "Fabrice Prémel" wrote:
> 
> > On Mon, 25 Sep 2000 11:02:15 -0700, cobalt-security@xxxxxxxxxxxxxxx
> > wrote:
> > >Hey Folks,
> > >
> > >When I do a "netstat -l" (list listening ports) on my Raq3i, it
> > >seems to
> > >me that it says finger is on and operating:
> > >
> > >Proto    Recv-Q    Send-Q    Local Address     Foreign Address
> > >State
> > >tcp        0                0             *:finger
> > >*:*                     LISTEN
> > >
> > >
> > >.... perhaps I interpret this wrong however?  When I look in
> > >inetd.conf,
> > >it looks like finger is commented out by default?
> > >
> > >Can anyone clear this confusion for me?
> >
> > Do the following :
> > ps aux |fgrep finger
> >
> > to see if it runs standalone.
> >
> > Also do :
> > fgrep finger /etc/services
> >
> > to see if the services file is correct. Finger should be on port 79.
> >
> > You might also want to restart inetd in case it was forgotten :
> > kill -SIGHUP `cat /var/run/inetd.pid`
> >
> > See if that helps,
> >
> > Fabrice Prémel.
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> 
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- Re: [cobalt-security] finger on/off?
  - From: Theodore Jones

Prev by Date: Re: [cobalt-security] finger on/off?
Next by Date: [cobalt-security] SDI remote ProFTPD exploit
Previous by thread: Re: [cobalt-security] finger on/off?
Next by thread: Re: [cobalt-security] Unable to turn off Finger and NFS

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index