[ale] odd lsof -i.

Jonathan Rickman jonathan at xcorps.net
Wed Jun 13 22:34:38 EDT 2001 

use the -O flag in nmap to ID the OS.(i.e. you have an all NT / Solaris
shop and suddenly someone "got Slack") Then try to find it's MAC. If you
have managed switches you should be able to chase it as far as the patch
cable...provided you have wiring diagrams/labels. I don't have a URL handy
at the moment (composing offline) but I believe there was a vulnerability
reported recently in xntp. I can't remember the details. Personally, I
wouldn't panic...but it is  definately cause for concern. I'd probably
skip my morning coffee to track it down...

As for sendmail going down...you can probably help yourself more than I
can there. I've always used VERY simplistic sendmail configurations, so
I've rarely had to troubleshoot.

"big empty time span"...huh? logs? That's baaaaaad.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

On Wed, 13 Jun 2001, Robert L. Harris wrote:

>
>
>
> I'm curious of the security of a box... There's a big empty time span
> missing from this morn and sendmail went down this morn.  I'm also
> see'ing this:
>
> [root at rl1 log]# lsof -i
> COMMAND    PID USER   FD   TYPE  DEVICE SIZE NODE NAME
> sshd       450 root    3u  IPv4     395       TCP *:ssh (LISTEN)
> xntpd      465 root    4u  IPv4     420       UDP *:ntp
> xntpd      465 root    5u  IPv4     421       UDP d94s117.subd.company.com:ntp
> xntpd      465 root    6u  IPv4     422       UDP rl1.subd.company.com:ntp
>
>
> I'm curious about the 3rd entry.  That is in theory a machine inside the
> company but it doesn't answer pings and I can't figure out why it'd be
> talking to this machine on the ntp protocol.  This machine isn't an
> ntp server and that 3rd entry is dhcp so it's not a server either.
>
> I'm nmaping the box now.
>
> Thoughts?
>
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris                |  Micros~1 :
> Senior System Engineer          |    For when quality, reliability
>   at RnD Consulting             |      and security just aren't
>                                 \_       that important!
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one else.
> FYI:
>  perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
>

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list