Date: Thu, 6 Sep 2001 10:53:45 -0400 From: Chris Faulhaber <jedgar@fxp.org> To: Fernan Aguero <pichita3@netscape.net> Cc: security@freebsd.org Subject: Re: some weird stuff found Message-ID: <20010906105345.A8026@peitho.fxp.org> In-Reply-To: <08705D38.78FF6AC2.00A48379@netscape.net> References: <08705D38.78FF6AC2.00A48379@netscape.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--vkogqOf2sHV7VnPd Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 06, 2001 at 10:34:12AM -0400, Fernan Aguero wrote: > In the last few days I started noticing strange things. Some of them > I do not understand and perhaps are normal things (such as being scanned) > and others may be more critical. > I appreciate any help and insight you can give me. >=20 > I am running FreeBSD-4.3.0p15 (RELENG_4_3). >=20 > 1 - I have been receiving some messages at the console that I would like > to understand better: > arp: unknown hardware address format (0x0800) >=20 > Lately I have many of these messages per day. What could be > causing this? >=20 This is a FAQ. Basically a machine on your network is sending out invalid arps. Search the mailing list archives for details. > 2 - I also notice this in /var/log/messages =20 > Sep 6 06:00:34 iib005 rpc.statd: invalid hostname to sm_stat: > ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y > Sep 6 06:00:35 iib005 /kernel: -^PM-^PM-^P >=20 > The messages in the console appear a little different, with a lot > of gibberish after sm_stat: and /kernel: >=20 Probably a Linux or Solaris rpc attack/exploit. Doesn't affect FreeBSD machines (except for annoying log entries). > 3 - If I run 'nmap -v localhost' I can see a few ports open *snip* > What services run on 1020 and 1021? I am not aware of having enabled > those, and they do not appear in /etc/services. > =20 Run sockstat (or lsof, etc) to see what is bound to those ports. > And relating to this, do i need sendmail listening on 25 and 587 if > I only need to send mail to a smart host? You can probably just use -q30m for sendmail flags if you are not accepting email which will not opening listening sockets. > Also: I need to print to a network printer but I'm not a print server. > Do I need 515 open? Nope. See the lpd(8) man page (-p option). > How do I close those ports (25,587,515)? First see what programs are bound to those ports (see above). 25 =3D=3D telnetd (run from inetd) 515 =3D=3D lpd (see above) > And last, I am running xdm but I only allowed connections from > localhost. Is this in any way related to X11 being on port 6000? > (/etc/services shows xdm on port 177) >=20 Probably. 6000 range of ports are usually X listening. > 4 - I normally run tripwire each night on the system and I never noticed > anything strange. But every time I update my system (cvsup, make worl= d) > I have to go over lots of new files that I need to tell tripwire to > update. > The last time I did this I noticed a strange thing under /bin: > -r-xr-xr-x 2 root wheel 50868 Sep 3 13:27 /bin/[ /bin/[ is a hard link to /bin/test (normal); 'man [' for details. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjuXjfkACgkQObaG4P6BelAipgCfUQ94+V4A117wsgUyXBBz1d+g QO8An3Xba68Sdqy72BIVQMQBti5k89jj =VbW7 -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010906105345.A8026>