On Fri, 26 Nov 1999, Steve Cody wrote:
> I have been reading up on the Portmap attack and noticed that I have
> rpc.portmapper, or portmapper running on 3 of my routers. It appears that a
You should put filters on your routers, nothing external to your network
should have access to the router itself.
> person can delete services on your system. Is there any way to tell what
> may have been tampered with? Can you tell from date/time stamps? Missing
There are, most of them aren't foolproof, but you can always check your
system's checksums against the installation media. Check all binaries
and libraries at a minimum, everything marked +x should count as a binary
to get perl/tcl/whatever scripts. Definitely count everything in root's
path.
> services? Where would I look for these things that can be tampered with.
> Also, can I safely stop the portmapper process and prevent it from running?
Depends on if anything you're running needs it, I don't run anything on
servers that does, but some desktop things I use tend to. Kill it and find
out is the best way to see, but why not simply filter access from external
hosts?
> My systems are linux.
If you use RPMs, you can check the package signatures to see if anything
has changed. You can also filter access to your systems at both the
router and host level. In fact you _should_ filter access to your
infrastructure and servers at your border router. I tend to recommend
adding an additional border router if you don't control the current one
just for that effect. If you can't own the border and don't have good
address ranges, IP unnumbered interfaces seem to be a good bet. You'll
want mostly outbound filter rules anyway, as those are definitely fast
switched if you're using Cisco routers. Inbound used to be process
switched, but I've no idea if that's still the case.
> >Any idea? This IP address resolves to delaxiom.org.
> >What can a person gain by connecting to this port?
Depends on what you have available that's vulnerable. At the least,
nothing, at the most, root.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
