Systems Administrator wrote:
>
> hi all. be kind. im a newbie. i've checked the site listed below as i'm
> searching 'bout tcp port 600 but unfortunately nothing is listed bout
> this. i found the below on my error logs and i'm still trying to figure
> out what's it supposed to do:
>
> Feb 3 09:45:59 ns statd[123]: attempt to create "/var/statmon/sm/; echo
> "pcserver stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ;
> /usr/sbin/inetd -s /tmp/bob &"
>
> the "bob" file is this:
>
> pcserver stream tcp nowait root /bin/sh sh -i
Yuck. Looks like the purp is trying to add a back door to your system.
Check out your /etc/inetd.conf file and you'll see what I mean. If this
entry gets added to inetd.conf it would create a service named
"pcserver" which runs as root and gives the connecting user a command
shell to the system. The way to tell what port they wanted this service
to listen on is to check /etc/services and look for "pcserver". The
default for pcserver is TCP/600.
> this particular user 'came in' on port 600.
Double yuck. So they already have access to your system. The above is an
attempt to maybe make access a bit easier.
> i read somewhere that this
> port should be blocked...err.. how am i supposed to do that?
First, you need to ID what IP address the person came in on. Do you have
a firewall or router log you could check? All logs on this system should
be considers suspect so best to get your info from another source.
Next, block the purps subnet using TCPWrapper by adding their subnet
range to your host.deny file. Note that this will only slow them down as
all they need to do is come in from a different network. This should at
least buy you some time though.
Now what you should do is review your inetd.conf file and comment out
any services you do not need (like pcserver). The less services you are
running, the less of a chance they will get back in.
You may also want to check out:
http://www.sans.org/giac.htm
http://www.enteract.com/~lspitz/papers.html
for additional recovery info.
Happy Hunting,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
