Re: LPRNG vulnerability [was Re: weird messages in syslog]
Jim McCloskey said:
>
> I've not had to deal with such an exploit before, so I would really
> appreciate any advice that's going. I've stopped the lprng daemon
> for now, until I can tighten things up.
depending on the box and it's uses most likely if it was
mine i would reinstall. thats really the only way to be sure.
otherwise, keep an eye on /etc/passwd for trojan accounts. ive
had a redhat system compromised by an old lpd exploit about
a year ago. the system was unmaintained and one day i logged
in to find a few new accounts on the system :) also do routine
nmap scans on it both tcp and udp for anything unusual listening.
i reccomend firewalling(i don't trust tcp_wrappers) anything
thats not in use.. feel free to nmap my machine portal.aphroland.org
and you'll see the dozens and dozens and dozens ofports i have
firewalled. i re nmap scan everytime i boot the system since
the rpc services use a semi-random port when they load. and i
need rpcs for nfs for my internal network..i wish i could get
rpcs to bind to a specific nic that would be a huge improvement.
i wish ipchains had the ability to firewall a range of ports like
ipf does. or wish someone would just port ipf to kernel 2.2 :)
im not usin 2.4 anytime soon. would make things much easier
i would just firewall 500-1023 and not have to nmap each time,
and not have to have 500 individual rules for each port!
i just need to turn my freebsd machine into a real firewall
instead of a server that sits there and does nothing ..
the main thing tho is /etc/passwd. from the 2 systems ive
had compromised(1 last year, 1 about 4 years ago) both
had new accounts on them.
and i would try to dig up an exploit for that lprng bug
and see if it works on your system. maybe you can get a
better idea if you were compromised or not, from the look
of the logs and the brief report i skimmed on securityfocus
it seems quite likely you were - even though youmay have
a newer version then what was once affected.
nate
Reply to: