Re: INGRESLOCK - Could it be someone trying to attack - Summary

From: Alan Kong (kkkong@ee.cuhk.edu.hk)
Date: Wed Sep 26 2007 - 21:56:42 EDT

• Next message: ketan.patel@uk.nomura.com: "RE: Qlogic Utility"
• Previous message: Romeo Theriault: "SUMMARY: Recommended patch strategy"
• In reply to: Alan Kong: "INGRESLOCK - Could it be someone trying to attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear All,
Thank you for your advise and help:
-Casper (Casper.Dik@Sun.COM)
- joe_fletcher@btconnect.com
- Ric Anderson (ric@opus1.com)
- JayJay Florendo (arflorendo@gmail.com)

Summary:
1) "It's just a coincidence; the system has used port 1524 (ingreslock)
to connect to your SPARC";

2)"There used to be a standard hack years ago against the ingreslock port on solaris.
Thought it was well patched by now though.";

3)"Check /etc/inet/services (and make sure /etc/services is a symbolic
link to /etc/inet/services) for INGRESLOCK."

4) "Look at the source and dest IPs, If you don't recognize them, you may be under attack."

I agree that it was just a coincidence that port 1524 was used to connect to the Sparc. The Sun Sparc has up-to-date patch and nothing abnormal was observed for the last few days.

Regards
Alan

Alan Kong wrote:
> Dear Managers,
> The following was observed when I ran "snoop" on a Sun sparc workstation
> runnning Solaris 8. I was connecting to the work station using ssh from
> a PC at that moment:
> 1 0.00000 137.189.3.6 -> cus12.cuhk.edu.hk INGRESLOCK R port=22
> 2 0.00006 cus12.cuhk.edu.hk -> 137.189.3.6 INGRESLOCK C port=22
> 3 0.32806 137.189.3.6 -> cuees12.cuhk.edu.hk INGRESLOCK R port=22
> 4 0.53146 cus12.cuhk.edu.hk -> 137.189.3.6 INGRESLOCK C port=22
> .....
> 194 0.00006 cus12.cuhk.edu.hk -> 137.189.3.6 INGRESLOCK C port=22 \203/n
> \305;=\f\357)?\320=\342z\4\342f\315rJ
>
> I have searched on Googles and some mentioned "INGRESLOCK" indicated
> someone tried to hack but it doesn't mean I have been exploited. Could
> you please help to confirm that the machine was not exploited.
>
> Thank you.
>
> Regards
> Alan
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: ketan.patel@uk.nomura.com: "RE: Qlogic Utility"
• Previous message: Romeo Theriault: "SUMMARY: Recommended patch strategy"
• In reply to: Alan Kong: "INGRESLOCK - Could it be someone trying to attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:42:22 EDT