RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???

Tue, 17 Apr 2001 22:57:31 -0700 

On Tue, 17 Apr 2001, Loryan Strant wrote:

> I've found that "/usr/sbin/nscd" is the responsible program for that port
> being open. I don't know what that program is, as it is not found on our
> backup RaQ4 server (which mind you has a lot less updates and programs
> installed).
> I know that my server is now untrustworthy, but would it be a good idea to
> rename/delete this file in the meantime?
> 
> Thanks,
> 
> Loryan
> 

Uhm...
[shimi@shimi shimi]$ /usr/sbin/nscd --help
Usage: nscd [OPTION...]
Name Service Cache Daemon. 

Name Service Cache Daemon it says, and it's a legit application, which
exists on my RedHat box at home on the LAN. The config file is located
/etc/nscd.conf and the program loads on boot from /etc/rc.d/init.d/nscd

Yet I fail to see why you're getting a shell prompt from it.

What I can even tell you is, that once luanched, that program changes it's
uid to a special uid and same for group (again, on my redhat), and that as
far as I can see, this program doesn't listen at ANY PORT, not tcp, not
udp. Instead, it uses a UNIX socket. If you don't know what that is, uhm,
I can't really explain, but it's something like a "file" inside  the
filesystem which the communication between the application and the
"daemon" goes through. MySQL for instance has that (the file is named
mysql.sock) and you can make him not listen for TCP at all, which is far
more secure that way.

Here is the stuff I found after running nscd:
[root@shimi shimi]# ps aux | grep nscd
nscd     21483  0.0  0.4 12112 1040 ?        S    23:14   0:00 /usr/sbin/nscd
nscd     21484  0.0  0.4 12112 1040 ?        S    23:14   0:00 /usr/sbin/nscd
nscd     21485  0.0  0.4 12112 1040 ?        S    23:14   0:00 /usr/sbin/nscd
nscd     21486  0.0  0.4 12112 1040 ?        S    23:14   0:00 /usr/sbin/nscd
nscd     21487  0.0  0.4 12112 1040 ?        S    23:14   0:00 /usr/sbin/nscd
nscd     21488  0.0  0.4 12112 1040 ?        S    23:14   0:00 /usr/sbin/nscd
nscd     21489  0.0  0.4 12112 1040 ?        S    23:14   0:00 /usr/sbin/nscd   

[root@shimi shimi]# netstat -pl | grep nscd
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
unix  0      [ ACC ]     STREAM     LISTENING     94652  21483/nscd 
/var/run/.nscd_socket    


B. Regards,

- shimi.

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to