SUMMARY: securnets issue?

From: Jon Lockley (Jon.Lockley_at_comlab.ox.ac.uk)
Date: 04/06/04

  • Next message: Johnson, Chad: "Automatic installation of packages / drivers" 
    Date: Tue, 6 Apr 2004 18:05:14 +0100 (BST)
To: sunmanagers@sunmanagers.org

    Thanks everyone.

    ------------------------------------------------------------------------

    From: Simon Crowther
    Subject: Re: securenets issue?

    Sorry to hear of your troubles, no doubt you will get lots of good advice
    here on this list, But I would also advise you to post this on the
    securityfocus mailing list, you will get some really valuable advice from
    industry experts like Casper *** (who has done a great deal of security
    related work for Sun Microsystems).

    I have a great deal of awareness of security issues, and knowing how
    misleading some situations can look, I would always seek the advice of
    others in the field (as you have done).

    To register with securityfocus user group, goto www.securityfocus.com
    and click on mailinglists on the top right hand side of the site.

    Good luck, and If you are interested in dissecting this intrusion (if
    you have the time) don't do anything more on the system until you have
    sought the advice of users on that group, they will probably advise you
    to make an exact image of the disk using dd before you proceed with any
    investigation, and then they will probably advise you down load various
    tools like the coroners toolkit, lsof, and also compare system binaries
    using checksums against those held on the installation CD-ROM... (to see
    if you can trust them)

    Regards,

    Simon Crowther

    Date: Fri, 2 Apr 2004 07:14:51 -0800 (PST)
    From: Octave Orgeron
    Subject: securenets issue?

    Hi,

    First off, securenets does not prevent someone from attacking or
    logging into a system. It only defines which hosts or networks that are
    allowed to access NIS information. Since the system was already bound
    to NIS, there was nothing to prevent someone from logging into your
    system. It's used to prevent systems from binding to NIS, not for
    preventing logins on a system in a NIS domain.

    The second thing is that you should not have systems exposed on the
    internet running NIS or really any services that are not protected. NIS
    sends it's data in clear text, it's not encrypted.. NIS+ and LDAP are.
    If you are going to have a system on the internet, make sure that it's
    only serving services that are secure.. things like SSH, VPN, etc. A
    good idea is to protect your systems and networks with good router
    ACL's, firewall, and IDS. Use NAT to translate IP's and ports so that
    ppl aren't accessing your systems with thier real IP's etc. I'd highly
    recommend that you read the book "Solaris Security" by Peter H. Gregory
    and read the security section of the Solaris 8 Administrator Guide on
    docs.sun.com.

    Security is something that's done in layers, there is no one solution
    that will protect you in all cases. If you have further questions, feel
    free to contact me I can give you some good pointers.

    Octave

    Date: Fri, 2 Apr 2004 12:59:51 -0600 (CST)
    From: admin@x83.net
    Subject: Re: securenets issue?

    Hello..

    I read about your post.. there are several ways an attacker access your
    network. I guess the real user`s passwd that has that account was
    sniffed..Then he used it to login into your server.. the problem is that
    if he ddosed someone he must have root.. so one is sniffer.. and one would
    be telnet if you use telnet on your Sun 5.8 its probably to be
    vulnerable..

    There are at least 3 bugs that exploit with uid 0 Sun servers.

    I wont go in details.. but to patch.. either close or apply these patches
    105665-04.tar , 111085-02.zip
    An other remote bug that gives instant root is dtscd which runs on port
    6112. Edit /etc/inetd.conf and # in front of it.. i dont think you use it
    there..

    And an other one is sadmind bug.. this one is new.. it attacks port 111
    and give a kind of shell from which u can execute root commands..
    It is reported that if the sadmind daemon has been enabled in inetd.conf
    and if the system is using the default security level of AUTH_SYS, a
    remote user may be able to forge AUTH_SYS credentials and execute
    arbitrary commands on the system. The commands will run with the
    privileges of sadmind, which is typically root level privileges.

    You can modify /etc/inetd.conf or apply these patches..
    116453-01.zip sun 5.8
    116455-01.zip sun 5.9
    This one seems to work only on sun 5.8 and sun 5.9 servers..

    I guess you made a point.. if you need any other details email me.. i`m
    developing a security course for Sunos.. and I believe I know how these
    things work.. Try to install chkrootkit.. and find possible backdoors..
    look at /etc/rc* files.. /etc/inittab for specific lines ..

     Good day.
    _______________________________________________
    sunmanagers mailing list
    sunmanagers@sunmanagers.org
    http://www.sunmanagers.org/mailman/listinfo/sunmanagers

  • Next message: Johnson, Chad: "Automatic installation of packages / drivers"