comp.security.unix and comp.security.misc frequently asked questions

comp.security.unix and comp.security.misc frequently asked questions

Post by Alan J Rosenth » Thu, 24 Jun 1999 04:00:00



Archive-name: computer-security/most-common-qs
Posting-frequency: monthly
Last-seriously-modified: April 1999
Last-modified: June 1999

This is a faq file for comp.security.misc and comp.security.unix.  It is
cross-posted to alt.security because I think it will also be useful there.
Yes, I know that syntactically, these are not all "questions".

Please check whether your question is in this file before posting.
Also, unix-specific questions should be posted to comp.security.unix, not
comp.security.misc; so if they're in here, there are now TWO reasons not to
post them to comp.security.misc.

------------------------------

Subject: Table of contents

- This faq

- Can anyone here tell me how to exploit the <whatever> bug?
  or Can anyone here tell me how to break in to my ISP?

- What do the "identd" lines in my syslog mean?  Is this a security
  exposure?  Can I turn off identd?

- I just noticed that <something>.  Has my machine been compromised?

- What does port number <whatever> mean?

- Here's new, unbreakable encryption software.

- Is there a newer version of cops?

- Tripwire fails the self-test, dumps core when building the database, and
  dumps core when verifying.

- Cops won't "make" in some versions of linux (GNU).

- What's that weird URL with SATAN/SAINT?  I'm not running a web server!
  or SATAN says "Can't find my own hostname".

- SATAN doesn't display right in my web browser; it asks me to save the file.

- How do I find all setuid and setgid files?

- I can't get .rhosts/.shosts to work with ssh.
(Note: there is a newsgroup comp.security.ssh)

- Should I block all ICMP at my firewall/router?

- Is a portscan of a machine malicious/illegal/unfriendly?

- Can my ISP/employer monitor <various things I'm doing>?

------------------------------

Subject: This faq

This is not supposed to be a statement of group consensus.  This is simply
supposed to be a few VERY frequently asked questions and their answers, so
that we can snidely say "see the faq" when people ask them.  The answers
supplied are supposed to be completely uncontroversial amongst people who
know what they're talking about.  (My first answer might be a bit borderline
in this respect but I don't recall ever having seen a contrary opinion here.)
Except for the portscan question, in which I've attempted to present ALL of
the major views.

Contributions of questions are welcome (with or without answers); however,
the idea is that they are supposed to be things which have straightforward
answers and which we see very frequently (at least prior to their inclusion
in this document).  If your answer is long, it might not belong in this
document, at least as I see the purpose of this document.  For example, it is
intentional that this document doesn't contain firewall recommendations, even
though that's a frequently-asked question here.  (But see the firewall faq at
http://www.clark.net/pub/mjr/pubs/fwfaq/)

Thanks to Juan Gallego, Lamont Granquist, and Martin Ouwehand for additional
suggestions re finding setuid files on different systems.  Thanks to Dan Niles
and Jyrki Havia for tripwire bug details as posted to the newsgroup.
Also taken from the newsgroup are some words from Olaf Schreck about
correctly editing the SATAN perl file (responding to a newbie error).

Disclaimer: The posting of this file is not to be construed as a commitment
to provide free consulting to people I don't know.  Post your questions to
the newsgroup and I might answer them there, or someone else might do it
better.  (Although if you say "please send e-mail copies", I'm going to
ignore your message.)

Disclaimer 2: There ARE errors in this file, but at the time of writing, I
didn't know what they were.  (If I knew, I would have fixed them.)  This
document is offered on an "as-is" basis, no warranty is implied, blah blah blah.

The metafaqs say you should choose a random day of the month to post monthly
faqs on, so I just used random() and got the number 22 (I don't think it's
necessary for it to be a cryptographic random number).

------------------------------

Subject: Can anyone here tell me how to exploit the <whatever> bug?
        or Can anyone here tell me how to break in to my ISP?

No.  We're security professionals.  We try to secure systems.  We think that
securing systems and fixing bugs are more intellectual activities than running
a program which someone else wrote which you don't understand.

You should only attempt "penetration testing" of a system with the consent
of its administrators and/or owners.  They will only be interested in your
services if you know something.  You can start your education by learning
some general computer science and computer programming, and by reading
computer security textbooks and/or newsgroups.

------------------------------

Subject: What do the "identd" lines in my syslog mean?  Is this a security
        exposure?  Can I turn off identd?

Discarding the timestamp and hostname, the lines look something like this:

    identd[10362]: from: 205.238.143.33 ( mail.dejanews.com ) for: 20546, 25
    identd[10362]: Successful lookup: 20546 , 25 : flaps.users

This states that the machine 205.238.143.33 asked your machine who was
connecting from port 20546 on your machine to port 25 on 205.238.143.33.
And your machine responded that the user was "flaps", and that flaps's group
is "users".  (10362 is the process id number of this particular invocation of
identd; for example, if two identd requests happened at about the same time
and the two lines were interleaved, it would help you sort them out.)

Theoretically, this is a security-sensitive data exposure, although the
practical effect of this is arguably nil.  And it can be very helpful to the
admin of a machine which often has more than a few simultaneous users.  When
one of your users does something untoward, this allows the remote machine to
log the username, and then the remote sysadmin's complaint to you will
contain information useful to you.  A linux machine at home connected to the
internet via ppp and with only one user should not be running identd because
it does not contribute to this process.  Very few things on the net REQUIRE
the sender to be running identd, because many machines don't have it and
because many people turn it off.

Your identd program probably has various options to configure what
information it discloses; see the man page.  You might want to run it with
options to minimize data OTHER than the above (-o and -e in the common
implementation), and/or perhaps run it with the option to report numeric uids
rather than lognames (-n), which is just as useful for tracking down
offenders from your point of view.  On the other hand, if you report numeric
uids, then in some cases the remote people will be able to gain logname<->uid
translation info (e.g. the outgoing connection is a mail message bearing
'from' information), so it's hard to say which discloses less data.

If you feel that this data is sensitive but still want to run identd, there
are some identd servers out there which report the data encrypted, so that
all the target operators can do with the information they get is to send the
token back to you for your own use.  This facility might be available as -C.

You specify these options on the identd command-line, wherever it appears,
which is usually in /etc/inetd.conf.

The identd protocol is documented in RFC 1413.  It is the same as "auth".
The query specifies the port numbers only; the two IP addresses are the sender
and target of the identd query.  Thus you cannot query about IP connections to
other machines, although you can query about connections which don't concern
you but are to a machine you have an account on.

RFC 1413 states, "If you wouldn't run a 'finger' server due to privacy
considerations you may not want to run this protocol."  I agree with this but
suggest that it might not apply to a cryptographic identd (e.g. -C).

------------------------------

Subject: I just noticed that <something>.  Has my machine been compromised?

Maybe.  You probably don't know whether it always was like this.  You should
look around your system enough of the time that you get used to how things
look BEFORE you get broken into.  And you should make a practice of following
up oddities you find, so that your judgement as to what is and is not weird
improves with experience.

If it's too late for that, before posting to comp.security.* ask at least
one local expert in the OS you're running, or in the case of unix, one local
unix expert.  There may be a straightforward, happy explanation for the
behaviour you observe.  Or there may not.  Not all anomalies are the result
of an intrusion; to some extent "My machine has been broken into!" has
replaced the "I have a virus!" default explanation of a few years ago.
On the other hand, machine breakins are very common these days, too.

------------------------------

Subject: What does port number <whatever> mean?

The basic reference is RFC 1700, or
ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers

However, you can write a program which uses any port number, whether it has a
standard meaning or not; and similarly you can write a program which uses a
port number in a way contrary to its standard meaning.

If you notice an attempted connection to a weird port number on your machine,
the connection might have been meant for some other machine running an
idiosyncratic service (perhaps someone typoed the IP address or hostname), it
might be a probe for a widely-spread trojan horse program, it might be part
of some kind of portscan, or plenty of other possibilities.

If you notice your machine listening on an unexpected port, you may
have been broken into, or it may be a "feature" of your OS distribution
or some third-party software you're running.  In unix, most ports your
OS distribution will use will be listed in /etc/services, along with
MANY you don't use.  /etc/inetd.conf lists services whose daemons are
...

read more »

 
 
 

comp.security.unix and comp.security.misc frequently asked questions

Post by Alan J Rosenth » Fri, 25 Jun 1999 04:00:00



>>If you notice your machine listening on an unexpected port, you may
>>have been broken into, or it may be a "feature" of your OS distribution

>1) What are the default, expected listening ports for a Win98 PC?

Good question, and one I'd be grateful for a more authoritative answer for
from someone who likes those blasted things.

All win95 machines seem to like to listen on port 139 for their name service
thing (better terminology requested).  If you have file sharing on, I think
that that adds ports 137 and 138.  Other than that, most other port numbers
might be surprising, but I could be wrong.  I see a machine listening on
port 135 and I don't know what that's for...  could be some win NT thing??
All those are TCP; any UDP default listeners?  Incidentally I'd like to
invite the original poster to mail me netstat output if s/he'd like.

Quote:>>To see what listeners you have running (open ports), the canonical
>>incantation is "netstat -an".  But doing a portscan from a remote machine
>>might be more reliable if you suspect your machine has been compromised,
>>because the netstat program could have been replaced.

>2) If my netstat program /has/ been replaced, would it be enough simply
>to over-write it with the original Netstat.exe file from the Win98 CD?

Maybe.  It depends on what else has been replaced.  Shared libraries (DLLs)
netstat uses could also hide information from it, as could a modified
OS kernel.  It would definitely be better to scan it from a different
machine, but running netstat.exe off the CD is better than running it off
the hard disk in case the only thing preventing the correct output is a
trojan version of netstat.exe itself, which is probably most likely anyway,
although definitely not the only possible way to interfere with it.