[ale] unidentified processes

[Dow Hurst]

John,
Even though James email is funny, he is absolutely correct in the
approach.  The portmapper and rpc.statd are RPC based processes along
with NFS and NIS (RPC uses UDP traditionally instead of TCP
connections).  The portmapper advertises what RPC services are available
on particular ports to remote requests.  rpc.statd lets remote
applications and remoted machines "know" what the status, of the local
machine or application that is RPC enabled, is.  Both services are
easily spoofed, cracked, and known cracks are available for both.  Since
you have had those running, as well as ftpd, you should reload from
scratch and choose to format your partitions too.  This is faster and
less prone to mistakes than working thru proving the machine is clean. 
(Even though that would be very educational!)  No service should be run
directly on a firewall machine that doesn't have to be.  That is why it
is recommended that you have a server inside your network for services
like Samba, NFS, and appletalk and not combine your firewall server with
that machine.  Running your firewall from a CD filesystem is a beautiful
suggestion.  Your cracker is limited even more by not being able to
change the read only system.  I need to look into that!

One major difficulty in setting up a firewall for people not intimate
with Linux, or any OS that is used, is that default choices during
install can leave you quite vulnerable and your not even aware of it til
you learn more.  Use "netstat -an" to prove that you have *only* sshd
advertising a service on port 22 before you hook back up to the
Internet.  You don't even have to have that, except it is convenient and
secure for remote admin. 

Here is an excerpt from an email Bob sent me just the other day:
"Btw, we just put up the first of 4 firewalls at this client (in
Europe).
It took only one hour and 34 minutes for someone to discover it and
start
breaking into it.  Within 20 minutes after that, a second cracker joined
in."

So you see it doesn't take long for a scan to find you and start to
reveal possible entry points.  I would just reload to be on the safe
side.  With more experience and a good "dd" backup, you can quickly
identify differences in a file system to see if your hacked.  At my
workplace, we have been recovering from a several crackers for the past
year.  Nov. 2000 we had the telnetd hole exploited on most of our SGIs. 
We don't have much manpower to rebuild systems and keep our work moving
along, so it has taken all year to work on rebuilding machines.  Hope
this helps,
Dow


John Wells wrote:
> 
> In addition to ftp and ssh, I have two processes
> running on ports 111 and 1024.  They both seem to work
> with rpc, and are the portmapper and rpc.statd
> respectively.
> 
> Can I disable these processes without any effect to my
> system?  If so, I assume I just remove the links to
> the startup scripts from my runlevel's startup
> directory.
> 
> Also, how insecure is it to run ftp on my
> router/firewall box?
> 
> Thanks,
> John
> 
> __________________________________________________
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.

-- 
__________________________________________________________
Dow Hurst                   Office: 770-499-3428
Systems Support Specialist  Fax:    770-423-6744
1000 Chastain Rd.
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.