[NCLUG] I was hacked!

Michael Dwyer mdwyer at sixthdimension.com
Fri Dec 29 16:06:57 MST 2000


At 10:08 PM 12/29/00 +0000, you wrote:
> > There are active exploits against these ports.  1080 is where WinGate
> > (SOCKS) lives -- which IRC kiddies use to proxy IRC through. Portmapper and
> > imap have both been victims of exploits in the last few months.
> > Should it concern you?  Kind of.  You have already made the first step of
> > watching out for your server.  (Yay!)  These scans are normally made by
> > script kiddies out looking for an easy target.  If your portmapper and
> > imapd are turned off, or running a non-vulnerable version or config, you
> > are safe.  But I would be keep watching the logs.
>
>imapd is off, but portmapper is on.  Still, it seems that portsentry is
>blocking outsiders from hitting it.

Portmapper is only used by NFS, *I THINK*.  I'm not sure if rsync uses it 
or not.  Its used by the sun RPC services, at least.  If you aren't using 
it, I'd turn it off.  The trouble is figuring out if you use it.  I'm not 
sure how to do that. :)  I've never missed it, but it is always turned on 
when I install a machine. rpc.statd was also recently compromised... Make 
sure that isn't running, or is patched.
You can also set up ipchains to block those ports...  That's a solution for 
ports that cannot be protected with tcp wrappers. Oh, and it always helps 
to have a friend with nmap (www.insecure.org) test your firewall configs.




More information about the NCLUG mailing list