From: Jon Lockley (Jon.Lockley@comlab.ox.ac.uk)
Date: Tue Apr 06 2004 - 13:05:14 EDT
Thanks everyone.
------------------------------------------------------------------------
From: Simon Crowther
Subject: Re: securenets issue?
Sorry to hear of your troubles, no doubt you will get lots of good advice
here on this list, But I would also advise you to post this on the
securityfocus mailing list, you will get some really valuable advice from
industry experts like Casper Dik (who has done a great deal of security
related work for Sun Microsystems).
I have a great deal of awareness of security issues, and knowing how
misleading some situations can look, I would always seek the advice of
others in the field (as you have done).
To register with securityfocus user group, goto www.securityfocus.com
and click on mailinglists on the top right hand side of the site.
Good luck, and If you are interested in dissecting this intrusion (if
you have the time) don't do anything more on the system until you have
sought the advice of users on that group, they will probably advise you
to make an exact image of the disk using dd before you proceed with any
investigation, and then they will probably advise you down load various
tools like the coroners toolkit, lsof, and also compare system binaries
using checksums against those held on the installation CD-ROM... (to see
if you can trust them)
Regards,
Simon Crowther
Date: Fri, 2 Apr 2004 07:14:51 -0800 (PST)
From: Octave Orgeron
Subject: securenets issue?
Hi,
First off, securenets does not prevent someone from attacking or
logging into a system. It only defines which hosts or networks that are
allowed to access NIS information. Since the system was already bound
to NIS, there was nothing to prevent someone from logging into your
system. It's used to prevent systems from binding to NIS, not for
preventing logins on a system in a NIS domain.
The second thing is that you should not have systems exposed on the
internet running NIS or really any services that are not protected. NIS
sends it's data in clear text, it's not encrypted.. NIS+ and LDAP are.
If you are going to have a system on the internet, make sure that it's
only serving services that are secure.. things like SSH, VPN, etc. A
good idea is to protect your systems and networks with good router
ACL's, firewall, and IDS. Use NAT to translate IP's and ports so that
ppl aren't accessing your systems with thier real IP's etc. I'd highly
recommend that you read the book "Solaris Security" by Peter H. Gregory
and read the security section of the Solaris 8 Administrator Guide on
docs.sun.com.
Security is something that's done in layers, there is no one solution
that will protect you in all cases. If you have further questions, feel
free to contact me I can give you some good pointers.
Octave
Date: Fri, 2 Apr 2004 12:59:51 -0600 (CST)
From: admin@x83.net
Subject: Re: securenets issue?
Hello..
I read about your post.. there are several ways an attacker access your
network. I guess the real user`s passwd that has that account was
sniffed..Then he used it to login into your server.. the problem is that
if he ddosed someone he must have root.. so one is sniffer.. and one would
be telnet if you use telnet on your Sun 5.8 its probably to be
vulnerable..
There are at least 3 bugs that exploit with uid 0 Sun servers.
I wont go in details.. but to patch.. either close or apply these patches
105665-04.tar , 111085-02.zip
An other remote bug that gives instant root is dtscd which runs on port
6112. Edit /etc/inetd.conf and # in front of it.. i dont think you use it
there..
And an other one is sadmind bug.. this one is new.. it attacks port 111
and give a kind of shell from which u can execute root commands..
It is reported that if the sadmind daemon has been enabled in inetd.conf
and if the system is using the default security level of AUTH_SYS, a
remote user may be able to forge AUTH_SYS credentials and execute
arbitrary commands on the system. The commands will run with the
privileges of sadmind, which is typically root level privileges.
You can modify /etc/inetd.conf or apply these patches..
116453-01.zip sun 5.8
116455-01.zip sun 5.9
This one seems to work only on sun 5.8 and sun 5.9 servers..
I guess you made a point.. if you need any other details email me.. i`m
developing a security course for Sunos.. and I believe I know how these
things work.. Try to install chkrootkit.. and find possible backdoors..
look at /etc/rc* files.. /etc/inittab for specific lines ..
Good day.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:25 EDT