Date: Thu, 06 Sep 2001 10:34:12 -0400 From: pichita3@netscape.net (Fernan Aguero) To: security@freebsd.org Subject: some weird stuff found Message-ID: <08705D38.78FF6AC2.00A48379@netscape.net>
next in thread | raw e-mail | index | archive | help
In the last few days I started noticing strange things. Some of them
I do not understand and perhaps are normal things (such as being scanned)
and others may be more critical.
I appreciate any help and insight you can give me.
I am running FreeBSD-4.3.0p15 (RELENG_4_3).
1 - I have been receiving some messages at the console that I would like
to understand better:
arp: unknown hardware address format (0x0800)
Lately I have many of these messages per day. What could be
causing this?
2 - I also notice this in /var/log/messages
Sep 6 06:00:34 iib005 rpc.statd: invalid hostname to sm_stat:
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y
Sep 6 06:00:35 iib005 /kernel: -^PM-^PM-^P
The messages in the console appear a little different, with a lot
of gibberish after sm_stat: and /kernel:
3 - If I run 'nmap -v localhost' I can see a few ports open
(The 1536 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
111/tcp open sunrpc
515/tcp open printer
548/tcp open afpovertcp
587/tcp open submission
1020/tcp open unknown
1021/tcp open unknown
2049/tcp open nfs
5432/tcp open postgres
6000/tcp open X11
What services run on 1020 and 1021? I am not aware of having enabled
those, and they do not appear in /etc/services.
And relating to this, do i need sendmail listening on 25 and 587 if
I only need to send mail to a smart host?
Also: I need to print to a network printer but I'm not a print server.
Do I need 515 open?
How do I close those ports (25,587,515)?
And last, I am running xdm but I only allowed connections from
localhost. Is this in any way related to X11 being on port 6000?
(/etc/services shows xdm on port 177)
4 - I normally run tripwire each night on the system and I never noticed
anything strange. But every time I update my system (cvsup, make world)
I have to go over lots of new files that I need to tell tripwire to
update.
The last time I did this I noticed a strange thing under /bin:
-r-xr-xr-x 2 root wheel 50868 Sep 3 13:27 /bin/[
I haven't tried to run it, though I run 'strings /bin/[' on it.
The output is a little bit long to be posted (ask me if you need it)
but following are a few lines:
$FreeBSD: src/lib/libc/i386/string/rindex.S,v 1.5 1999/08/27 23:59:32 peter Exp $
$FreeBSD: src/lib/libc/i386/string/strcmp.S,v 1.5 1999/08/27 23:59:33 peter Exp $
$FreeBSD: src/lib/libc/i386/string/memchr.S,v 1.8 1999/08/27 23:59:31 peter Exp $
$NetBSD: bcopy.S,v 1.6 1996/11/12 00:50:06 jtc Exp $
$FreeBSD: src/lib/libc/i386/string/memset.S,v 1.5 1999/08/27 23:59:32 peter Exp $
$NetBSD: bcopy.S,v 1.6 1996/11/12 00:50:06 jtc Exp $
$FreeBSD: src/lib/libc/i386/sys/brk.S,v 1.7 1999/08/27 23:59:38 peter Exp $
...
Is this a normal binary? Perhaps it is and I just missed it before.
Thanks in advance for suggestions and tips.
pichita
__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08705D38.78FF6AC2.00A48379>