Your system is already compromised !!!
(ANY user can get a remote root shell on your system
by telnetting to port 600.)
do the following: PULL THE NETWORK CABLE OUT NOW !
Disconnect yourself from the internet now (by physical means!)
then, boot from a read only medium (installation-CD? bootdisk?)
and mount your root-filesystem (your OS does have an emergency
boot CD/disk, or not?)
Unix'es i know that do: Solaris, Linux (all distros), FreeBSD, OpenBSD,
check your OS's documentation.
Then, backup all your valuable files.
Use the OS's supplied methode to check the integrity of your installed
packages. (assuming you mounted your root-fs on /mnt/root):
e.g.: Solaris pkgchk -n -c -R /mnt/root
redhat and rpm-based linux: rpm -V --nofiles
others: check your package management's tools documentation
Then: check all files that were not ok.
and reinstall them / fix config files.
!!! If you dont have the time (hours) to do this, your might consider the
shortcut: whipe your harddisks off, reinstall your OS, apply all
current security Patches, and get back online.
or hire a security specialist to do this for you.
regards,
Juergen
> Systems Administrator wrote:
> >
> > hi all. be kind. im a newbie. i've checked the site listed below as i'm
> > searching 'bout tcp port 600 but unfortunately nothing is listed bout
> > this. i found the below on my error logs and i'm still trying to figure
> > out what's it supposed to do:
> >
> > Feb 3 09:45:59 ns statd[123]: attempt to create "/var/statmon/sm/; echo
> > "pcserver stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ;
> > /usr/sbin/inetd -s /tmp/bob &"
> >
> > the "bob" file is this:
> >
> > pcserver stream tcp nowait root /bin/sh sh -i
>
> Yuck. Looks like the purp is trying to add a back door to your system.
> Check out your /etc/inetd.conf file and you'll see what I mean. If this
> entry gets added to inetd.conf it would create a service named
> "pcserver" which runs as root and gives the connecting user a command
> shell to the system. The way to tell what port they wanted this service
> to listen on is to check /etc/services and look for "pcserver". The
> default for pcserver is TCP/600.
>
> > this particular user 'came in' on port 600.
>
> Double yuck. So they already have access to your system. The above is an
> attempt to maybe make access a bit easier.
>
> > i read somewhere that this
> > port should be blocked...err.. how am i supposed to do that?
>
> First, you need to ID what IP address the person came in on. Do you have
> a firewall or router log you could check? All logs on this system should
> be considers suspect so best to get your info from another source.
>
> Next, block the purps subnet using TCPWrapper by adding their subnet
> range to your host.deny file. Note that this will only slow them down as
> all they need to do is come in from a different network. This should at
> least buy you some time though.
>
> Now what you should do is review your inetd.conf file and comment out
> any services you do not need (like pcserver). The less services you are
> running, the less of a chance they will get back in.
>
> You may also want to check out:
> http://www.sans.org/giac.htm
> http://www.enteract.com/~lspitz/papers.html
>
> for additional recovery info.
>
> Happy Hunting,
> Chris
> --
> **************************************
> [EMAIL PROTECTED]
>
> * Multiprotocol Network Design & Troubleshooting
> http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
> * Mastering Network Security
> http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
Juergen P. Meier email: [EMAIL PROTECTED]
Class GmbH Firmengruppe phone: +49 172 8379103
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
