ARRRR...let's not scare the man. I get spooky net whatnot like this whenever people install a media player because the installers port scan the subnet, then portsentry (part of my intrusion detection system components) drops the route to the installers host. However, that's what I was thinking as well. It is just before students come back to college, and it's a .edu box. If you got tripwire or MD5 checksums of things, now is a good time to verify. grep ps for known trojans and rootkits (again chicken and egg...of yer rooted, you can't trust ps or grep) Sach is wise to look at wrappers. Know however, that tcpwrappers (/etc/hosts.deny-allow) is used by inetd and xinetd. With the exception with particular binaries such as SSH, those files are used by the inetd type applications to decide wether or not to launch an application via tcpd (2600 18:2 has a great article on this). It's quite possible that even though your tcpwrappers setup is bulletproof, the services running can still be a sitting duck if not called by the inetd type apps or the server app is not configured to look at hosts.* on its own for authorization purposes. In general, it looks like the boxes refusing requests or failing to awknowlege could possibly have a GOOD REASON for doing so. Look at the authentication/autorization mechanism and logs of both servers and clients for anomolies, which could provide useful clues. tack On Sat, 1 Sep 2001, Sach Jobb wrote: > Or hey.... RPC is always a popular crack. It might be that someone has > broken in via an RPC exploit. (You start it up again, they break in again > and it crashes them to a remote root prompt. You start it up again, and > they break in again). > > Remember that one with Redhat 6.2 (remote root via RPC). Check the exploit > lists and see if there is an exploit for RPC on Solaris 2.7. > > Consider TCP wrappers too.... /etc/hosts.allow /etc/hosts.deny, or xinit.d > if you have the time to install and set it up. > > cheers, > sach > > > On Sat, 1 Sep 2001, tack wrote: > > > Looks like your machines had a falling out with each other. What do you > > know of in your configuration that would cause NIS to not pass > > authorization/authentication between machines? Any new binaries? IDS? > > > > tack > > > > On 31 Aug 2001, John Hunter wrote: > > > > > > > > We are using solaris 2.7 as a yp server. Last night when trying to > > > add a new user I got an RPC error message 'Create clnt failure: RPC: > > > Program not registered'. I did '/etc/init.d/rpc stop' then 'start' > > > and this seemed to fix the new user problem. > > > > > > This morning it appears that the mail server is down. I found the > > > following in /var/log/syslog > > > > > > Aug 31 07:31:03 ace.bsd.uchicago.edu sendmail[4480]: NOQUEUE: SYSERR(root): Cann > > > ot bind to map mail.aliases in domain dream: can't communicate with rpcbind: No > > > such file or directory > > > > > > Any thoughts about what I need to do to revive this sucker? > > > > > > But wait! How can I read the responses if my mail server is down. > > > Catch 22! > > > > > > thanks, > > > John Hunter > > > > > > > > > -- ------------------------------------------ 1st Amendment: Void where prohibited http://freesklyarov.org http://www.anti-dmca.org
