Prev: Solaris 10 free download
Next: wu-ftpd on Solaris 8
From: steeles on 18 Dec 2006 14:54
Hi all,

periodally /var/adm/messages always collects this type of messages,

Dec 18 13:09:57 denver rlogind[12345]: [ID 776819 daemon.error] failed to
receive protocol zero byte
Dec 18 13:09:57 denver rlogind[23456]: [ID 776819 daemon.error] failed to
receive protocol zero byte
Dec 18 13:09:57 denver rlogind[34567]: [ID 776819 daemon.error] failed to
receive protocol zero byte
Dec 18 13:09:57 denver rlogind[45678]: [ID 776819 daemon.error] failed to
receive protocol zero byte
Dec 18 13:09:57 denver rlogind[56675]: [ID 776819 daemon.error] failed to
receive protocol zero byte

I don't know what could cause that, can anyone please advice?


From: Andreas F. Borchert on 19 Dec 2006 01:44
On 2006-12-18, steeles <steeles(a)gmail.com> wrote:
> periodally /var/adm/messages always collects this type of messages,
>
> Dec 18 13:09:57 denver rlogind[12345]: [ID 776819 daemon.error] failed to
> receive protocol zero byte
> Dec 18 13:09:57 denver rlogind[23456]: [ID 776819 daemon.error] failed to
> receive protocol zero byte
> Dec 18 13:09:57 denver rlogind[34567]: [ID 776819 daemon.error] failed to
> receive protocol zero byte
> Dec 18 13:09:57 denver rlogind[45678]: [ID 776819 daemon.error] failed to
> receive protocol zero byte
> Dec 18 13:09:57 denver rlogind[56675]: [ID 776819 daemon.error] failed to
> receive protocol zero byte
>
> I don't know what could cause that, can anyone please advice?

Most likely some attacker probed your rlogind port (TCP port 513) without
attempting to login.

Andreas.
From: steeles on 19 Dec 2006 16:48
Attacher? How can I trace it?

Thanks.


"Andreas F. Borchert"
<comp.unix.solaris(a)expires-on-2006-12-27.usenet.andreas-borchert.de> wrote
in message
news:slrneof2j6.qgk.comp.unix.solaris(a)usenet.andreas-borchert.de...
> On 2006-12-18, steeles <steeles(a)gmail.com> wrote:
>> periodally /var/adm/messages always collects this type of messages,
>>
>> Dec 18 13:09:57 denver rlogind[12345]: [ID 776819 daemon.error] failed to
>> receive protocol zero byte
>> Dec 18 13:09:57 denver rlogind[23456]: [ID 776819 daemon.error] failed to
>> receive protocol zero byte
>> Dec 18 13:09:57 denver rlogind[34567]: [ID 776819 daemon.error] failed to
>> receive protocol zero byte
>> Dec 18 13:09:57 denver rlogind[45678]: [ID 776819 daemon.error] failed to
>> receive protocol zero byte
>> Dec 18 13:09:57 denver rlogind[56675]: [ID 776819 daemon.error] failed to
>> receive protocol zero byte
>>
>> I don't know what could cause that, can anyone please advice?
>
> Most likely some attacker probed your rlogind port (TCP port 513) without
> attempting to login.
>
> Andreas.


From: James Carlson on 20 Dec 2006 08:35
"steeles" <steeles(a)gmail.com> writes:
> Attacher? How can I trace it?

There's not much to 'trace' here ... but using snoop and/or ethereal
would be a fair start.

--
James Carlson, KISS Network <james.d.carlson(a)sun.com>
Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
From: Andreas F. Borchert on 20 Dec 2006 11:12
On 2006-12-19, steeles <steeles(a)gmail.com> wrote:
> Attacher? How can I trace it?

Firstly, I would recommend to run the ipfilter firewall software.
(ipfilter is included in Solaris 10. You can download ipfilter from
http://coombs.anu.edu.au/~avalon/ if you have an older release of
Solaris.) Then, if you configure ipfilter to block and log TCP port 513
from outside, you see at least the IP address of the attacker.

You can also run snoop as already suggested. However, there is possibly
not much to be seen beyond an initial TCP SYN/ACK/ACK handshake. Another
option would be to run snort which can be asked to record all interesting
packets. snort ist available at http://www.sunfreeware.com/.

As documented at http://www.incidents.org/port_details.php?port=513,
probes at TCP port 513 are rarely seen. Likewise, few servers actually
continue to run rlogind as this has been widely replaced by sshd.

Perhaps the attacker used a tool like nmap to scan through a large
number of your TCP ports to find out which are open. You can download
nmap from http://www.sunfreeware.com/ and see yourself which ports are
left open and which traces are left by nmap in your logs.

Andreas.
 | 
Pages: 1
Prev: Solaris 10 free download
Next: wu-ftpd on Solaris 8