On Thu, Sep 06, 2001 at 10:34:12AM -0400, Fernan Aguero wrote:
> In the last few days I started noticing strange things. Some of them
> I do not understand and perhaps are normal things (such as being scanned)
> and others may be more critical.
> I appreciate any help and insight you can give me.
>
> I am running FreeBSD-4.3.0p15 (RELENG_4_3).
>
> 1 - I have been receiving some messages at the console that I would like
> to understand better:
> arp: unknown hardware address format (0x0800)
>
> Lately I have many of these messages per day. What could be
> causing this?
>

This is a FAQ. Basically a machine on your network is sending out
invalid arps. Search the mailing list archives for details.

> 2 - I also notice this in /var/log/messages
> Sep 6 06:00:34 iib005 rpc.statd: invalid hostname to sm_stat:
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y
> Sep 6 06:00:35 iib005 /kernel: -^PM-^PM-^P
>
> The messages in the console appear a little different, with a lot
> of gibberish after sm_stat: and /kernel:
>

Probably a Linux or Solaris rpc attack/exploit. Doesn't affect
FreeBSD machines (except for annoying log entries).

> 3 - If I run 'nmap -v localhost' I can see a few ports open
*snip*
> What services run on 1020 and 1021? I am not aware of having enabled
> those, and they do not appear in /etc/services.
>

Run sockstat (or lsof, etc) to see what is bound to those ports.

> And relating to this, do i need sendmail listening on 25 and 587 if
> I only need to send mail to a smart host?

You can probably just use -q30m for sendmail flags if you are not
accepting email which will not opening listening sockets.

> Also: I need to print to a network printer but I'm not a print server.
> Do I need 515 open?

Nope. See the lpd(8) man page (-p option).

> How do I close those ports (25,587,515)?

First see what programs are bound to those ports (see above).
25 == telnetd (run from inetd)
515 == lpd (see above)

> And last, I am running xdm but I only allowed connections from
> localhost. Is this in any way related to X11 being on port 6000?
> (/etc/services shows xdm on port 177)
>

Probably. 6000 range of ports are usually X listening.

> 4 - I normally run tripwire each night on the system and I never noticed
> anything strange. But every time I update my system (cvsup, make world)
> I have to go over lots of new files that I need to tell tripwire to
> update.
> The last time I did this I noticed a strange thing under /bin:
> -r-xr-xr-x 2 root wheel 50868 Sep 3 13:27 /bin/[

/bin/[ is a hard link to /bin/test (normal); 'man [' for details.

-- 
Chris D. Faulhaber - jedgarfxp.org - jedgarFreeBSD.org
--------------------------------------------------------
FreeBSD: The Power To Serve   -   http://www.FreeBSD.org

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve

iEYEARECAAYFAjuXjfkACgkQObaG4P6BelAipgCfUQ94+V4A117wsgUyXBBz1d+g QO8An3Xba68Sdqy72BIVQMQBti5k89jj =VbW7 -----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]