[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] socks & sunrpc on a netstat?

Subject: Re: [cobalt-security] socks & sunrpc on a netstat?
From: shimi <shimi@xxxxxxxxxxxxxxxx>
Date: Sat, 21 Apr 2001 23:44:10 -0700 (PDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> 
> > Also, sunrpc is a big headache - tons of security issues, even if
> it's
> > legit, i would close it...
> 
> Umm, I would if I knew how? *meek smile*
> I tried 'man sunrpc' and my lovely blue headache told me to go pound
> sand. I'll try digging through the archives, though (I do try to RTFM
> when I have an inkling on what to look for.)
> 
with the programname fron netstat -pl, type:

killall -9 <program name>

then go to /etc/init.d and see where it loads from.

BUT if the process name is INETD
don't(!) kill it (tm)

it's the internet-super-daemon (as I guess you already know)...
what the cracker (script kiddie, most of the time) did was adding a line
to /etc/inetd.conf, to listen on one of the ports (rpc/socks) and spawn a
rootshell when telnetting in.

you can know by simply telnetting to your machine at that port. if you get
an "sh" prompt, that's the trick ;P

 > Thank you Shimi!
> 
> CarrieB

np.

References:
- Re: [cobalt-security] socks & sunrpc on a netstat?
  - From: Carrie Bartkowiak

Prev by Date: Re: [cobalt-security] pidof proc/16029/stat
Next by Date: [cobalt-security] Qube2s LCD and services freeze every 7 Days
Previous by thread: Re: [cobalt-security] socks & sunrpc on a netstat?
Next by thread: RE: [cobalt-security] socks & sunrpc on a netstat?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index