From owner-freebsd-security Thu Sep 6 7:34:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from imo-m05.mx.aol.com (imo-m05.mx.aol.com [64.12.136.8]) by hub.freebsd.org (Postfix) with ESMTP id 9EDBC37B403 for ; Thu, 6 Sep 2001 07:34:16 -0700 (PDT) Received: from pichita3@netscape.net by imo-m05.mx.aol.com (mail_out_v31_r1.4.) id n.2c.1f07a7e (16242) for ; Thu, 6 Sep 2001 10:34:12 -0400 (EDT) Received: from netscape.com (mow-d02.webmail.aol.com [205.188.138.66]) by air-in03.mx.aol.com (v80.17) with ESMTP id MAILININ36-0906103412; Thu, 06 Sep 2001 10:34:12 -0400 Date: Thu, 06 Sep 2001 10:34:12 -0400 From: pichita3@netscape.net (Fernan Aguero) To: security@freebsd.org Subject: some weird stuff found Message-ID: <08705D38.78FF6AC2.00A48379@netscape.net> X-Mailer: Atlas Mailer 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In the last few days I started noticing strange things. Some of them I do not understand and perhaps are normal things (such as being scanned) and others may be more critical. I appreciate any help and insight you can give me. I am running FreeBSD-4.3.0p15 (RELENG_4_3). 1 - I have been receiving some messages at the console that I would like to understand better: arp: unknown hardware address format (0x0800) Lately I have many of these messages per day. What could be causing this? 2 - I also notice this in /var/log/messages Sep 6 06:00:34 iib005 rpc.statd: invalid hostname to sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y Sep 6 06:00:35 iib005 /kernel: -^PM-^PM-^P The messages in the console appear a little different, with a lot of gibberish after sm_stat: and /kernel: 3 - If I run 'nmap -v localhost' I can see a few ports open (The 1536 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 111/tcp open sunrpc 515/tcp open printer 548/tcp open afpovertcp 587/tcp open submission 1020/tcp open unknown 1021/tcp open unknown 2049/tcp open nfs 5432/tcp open postgres 6000/tcp open X11 What services run on 1020 and 1021? I am not aware of having enabled those, and they do not appear in /etc/services. And relating to this, do i need sendmail listening on 25 and 587 if I only need to send mail to a smart host? Also: I need to print to a network printer but I'm not a print server. Do I need 515 open? How do I close those ports (25,587,515)? And last, I am running xdm but I only allowed connections from localhost. Is this in any way related to X11 being on port 6000? (/etc/services shows xdm on port 177) 4 - I normally run tripwire each night on the system and I never noticed anything strange. But every time I update my system (cvsup, make world) I have to go over lots of new files that I need to tell tripwire to update. The last time I did this I noticed a strange thing under /bin: -r-xr-xr-x 2 root wheel 50868 Sep 3 13:27 /bin/[ I haven't tried to run it, though I run 'strings /bin/[' on it. The output is a little bit long to be posted (ask me if you need it) but following are a few lines: $FreeBSD: src/lib/libc/i386/string/rindex.S,v 1.5 1999/08/27 23:59:32 peter Exp $ $FreeBSD: src/lib/libc/i386/string/strcmp.S,v 1.5 1999/08/27 23:59:33 peter Exp $ $FreeBSD: src/lib/libc/i386/string/memchr.S,v 1.8 1999/08/27 23:59:31 peter Exp $ $NetBSD: bcopy.S,v 1.6 1996/11/12 00:50:06 jtc Exp $ $FreeBSD: src/lib/libc/i386/string/memset.S,v 1.5 1999/08/27 23:59:32 peter Exp $ $NetBSD: bcopy.S,v 1.6 1996/11/12 00:50:06 jtc Exp $ $FreeBSD: src/lib/libc/i386/sys/brk.S,v 1.7 1999/08/27 23:59:38 peter Exp $ ... Is this a normal binary? Perhaps it is and I just missed it before. Thanks in advance for suggestions and tips. pichita __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message