Well not really attacks, but these two ports (auth and rpc) often get connections, i have a strict firewall that doesn't allow anything < 1024 unless i specificly allow it. I sometimes get connections on nntp and dns but 111 and 113 every day, multiple times, from different addresses. Anyone have an idea of what they're scanning for?
What are the services run on these /usually/. I know it's sunrpc and tap authentication, but what do they do for you? I had sunrpc.portmap (or something likey that) in my old slackware install that i commented out because i didn't know what it did, from my understanding it has something to do with nfs. As for tap auth? no idea.
thanks
-out-
SKoL
03-27-2001, 01:57 AM
Well, ever heard of Lion and the Ramen worm?
All my servers get scanned like this at work.. You get used to it after awhile , you should only be worried if your running BIND under version 8.0 i belive. :)
aph3x
03-27-2001, 04:04 AM
egrep "111|113" /etc/services
111 is sunrpc, which *i think* is used for mounting NFS filesystems. ive read a few articles on NFS exploits, this may be what the scans are looking for.
113 is used for auth (ident) requests, which usually come from an IRC server when you connect. however, this could possibly be used to enumerate valid user names on your system... but then again, you can spoof ident requests. :)
Neo Wong
03-27-2001, 04:05 AM
Hi SKoL,
As my thought,I think RPC and portmap don't have any relationship with BIND.And as I know, any BIND versions under 8.3 can be effected by Lion.Right? :rolleyes:
Originally posted by SKoL:
Well, ever heard of Lion and the Ramen worm?
All my servers get scanned like this at work.. You get used to it after awhile , you should only be worried if your running BIND under version 8.0 i belive. :)
:rolleyes:
[GoRN]
03-27-2001, 09:18 PM
Originally posted by SKoL:
Well, ever heard of Lion and the Ramen worm?
yea, the one that attacks udp port 53, the one bind runs on...
I'm talking about tcp 111 and 113.
aph3x thanks, the auth info helps, i think i'll read up more on nfs.
And neo wong, yea your right it's not related to the worms.
Also i'm not worried my system will be hacked, it's a home box and i watch it pretty close. I was just wondering why i get so many connections there.
-out-
Fandelem
03-27-2001, 10:01 PM
i have a home LAN - on a 56k modem ppp dialup connection - and i get 111 and 113 all the time -- they are upon the most popular, albeit 137-139.
as long as i'm getting the blocked messages, i'm content ;o)
jemfinch
03-28-2001, 05:00 AM
IRC servers and SMTP servers connect to port 113 of a connecting machine to check the user's ident.
For a long time, rpc services were insecure, so I wouldn't be surprised if they're still checking 111 just-in-case.
Jeremy
[GoRN]
03-30-2001, 02:00 PM
jemfinch, thanks
i skimmed the rfc on ident, you send it 2 ports (the one they are using and the one you are using) in the form of 80,2331 and it will tell you what user is using that connection. neat.
Thanks for the info guys!
BigBlockMopar
03-30-2001, 03:10 PM
The BIND versions vulnerable to the same buffer overflow used by the worm are:
- Anything below 8.2
- 8.2
- 8.2-P1
- 8.2.1
- 8.2.2-Px (where x is any number; this is the BIND in RH 6.2!)
- 8.2.3 betas (8.2.3-REL is okay).
- Most version of 9.x from before this winter.
Note that only BIND 8.x appears to be capable of being used to transmit the worm.
This is a *serious* problem, please update your system ASAP, regardless of whether it's just a home server or what. Your machine could transmit the worm to hundreds of other systems before you find it. It appears that this worm is setting up machines to be repeaters in what would likely be the biggest DDoS attack ever staged.
Originally posted by zGoRNz:
And neo wong, yea your right it's not related to the worms.
Actually, the connection to 111 could be the ramen worm. It attacks ftp (wu's site exec), dns (bind, of course) and portmap (rpc.statd).
jemfinch
03-31-2001, 03:53 AM
If anyone here needs a nice, secure, spoofing identd server, I've written one in python. It's not large, so you can audit it yourself, and it's entirely stable (I have a friend who's been running it on his box since 13-Feb.)
Heck, it's short. I'll post it here.
#!/usr/local/bin/python -u
import os
import socket
import asyncore
import asynchat
from random import randrange
if __name__ == '__main__':
import os, sys, pwd
if os.name != 'posix':
print 'Sorry, the server requires a posix operating system.'
sys.exit(-1)
# Os is posix, we can fork!
if os.fork() != 0:
sys.exit(0)
os.setsid()
server = identd_server()
os.chdir('/')
try:
user = sys.argv[1]
except IndexError:
user = 'nobody'
uid, gid = pwd.getpwnam(user)[2:4]
os.setgid(uid)
os.setuid(gid)
os.umask(0)
if os.fork() != 0:
sys.exit(0)
server.start()
Hey, if you want it, it's yours. Public Domain, of course.
Jeremy
Algemon
03-31-2001, 04:34 AM
Jemfinch, I would appreciate if you answer a really dumb question I have.
I didn't even load identd on my system cause I wasn't sure I needed it. I don't use ICQ and generally only surf the net with a web browser etc. I have a firewall wich blocks all conections not initiated by me. (ie blocks unrelated and new connections in iptables.)
1. Do I need identd?
2. Does your script modify identd so that it gives a "fake" response?
3. How do you use your script? - (Bearing in mind that I know absolutely nothing about perl)
Thanks.
jemfinch
03-31-2001, 01:54 PM
Originally posted by Algemon:
I didn't even load identd on my system cause I wasn't sure I needed it. I don't use ICQ and generally only surf the net with a web browser etc.
I think you really mean "IRC", not "ICQ" :) ICQ doesn't use identd, to my knowledge.
1. Do I need identd?
It depends. If you don't IRC and don't send mail directly from your box (without using a smart host your ISP provides) then you probably don't. Check your logs and see how many blocked packets you get to 113 -- there hasn't been a serious exploit of most identd servers in ages, so blocked packets there are generally portscans or authentic requests. If you're getting a lot of blocked packets there, then you might consider running it.
2. Does your script modify identd so that it gives a "fake" response?
Ident is a protocol described in RFC 1413.
Someone sends and ident server two port numbers, and the ident server is supposed to respond with the user using those ports (or, if there is no user using those ports, the server is supposed to return an error.) My program, rather that bother with all that, just returns positive all the time, responding with "user" plus some random number between 0 and 9999.
3. How do you use your script? - (Bearing in mind that I know absolutely nothing about perl)
And probably even less about python, the language that script it written in :)
You just named it something like "identd.py" and then type "./identd.py <user>" where user is the user you want the server to run as. If you don't specify a user, it assumes you want to run it as nobody.
Jeremy
[GoRN]
03-31-2001, 06:22 PM
thanks for the fake server,
I did you a favor and ported it to perl, feel free to use it. I know how you don't like python that much, i was suprised you wrote it in python and not perl in the first place
the only problem is i use `id -u $newuid` to get the id of the user to setuid to. I know there's a better why but i don't know what it is.
you can get it at http://nixel.mine.nu/ident.pl or
#!/usr/bin/perl -W
use strict;
use IO::Socket;
my @user = ('bob', 'fred', 'user', 'sam', 'sally', 'gesus', 'jesus', 'christ', 'krist', 'god', 'jod'); #possible users to sho
w for using the port, it's random, put as many as you like.
my $newuid;
($newuid = $ARGV[0]) ||
($newuid = "nobody");
if($newuid !~ /^\d*$/) {
$newuid = `id -u $newuid`; # bad, i'm sure theres another way, but don't know it
}
my $ident = IO::Socket::INET->new(
Proto => "tcp",
LocalPort => 113,
Listen => 10,
Reuse => 1
) or die $!;
#we've bound to the socket, setuid
$< = $newuid;
$> = $newuid;
srand(time ^ $$); # set the random seed so we can get random users below
my $pid = fork();
if(!defined($pid)) {
die "Could not fork(): $!";
} elsif($pid != 0) {
exit; # daemonize we are the parent
} # else we are the child, go
Ah, but you're missing a whole lot of robustitude ( :D) in your code that's in mine.
Your server is open to a trivial DoS attack. Connect to the server, but don't send a newline. The program will be stuck in the "my $line = <$client>" line, and won't be able to handle any other clients as long as that connection remains open.
A few other notes, more about your perl than your design.
Instead of `id -u $newuid`, you should use perl's "getpwnam" function. Documentation can be found in perldoc -f.
You also don't follow the standard (and necessary) daemonizing rules. There are situations (I don't know which ones) in which your program could acquire a controlling terminal. Take a look at what my program goes through to see the "blessed" method of daemonizing (according to W. Richard Stevens.)
You need to use a different, more specific regexp. I'd suggest m/^(\d{1,5})\s*,\s*(\d{1,5})/ . Whitespace can exist at those points, and does rather often. Also, the port number has to be between 1 and 5 digits, so it's good to limit it.
Also, not that you nor I pay much attention to the protocol, but if there is an error, the ports still shouldn't be changed "0,0" as you do.
The most important problem is obviously the DoS. You'll have to rewrite your code to handle stuff (including accept()) asynchronously. That means learning the IO::Select module (iirc the name.)
Honestly, though, perl is so ugly, you should just learn python and get done with it. You'll be happy you did. It's much easier to make robust, beautiful code.
Jeremy
[GoRN]
04-01-2001, 03:05 AM
thanks for the feedback, i was thinking of forking for each client, but figured that was to sloppy, and had heard of the IO::Select module but never tried to use it. i got that working and the `id -u` i knew was wrong and knew perl /had/ to have a call for it but didnt' know what it was, thanks
the protocol i've fixed up, it resembles the in.identd shipped with slackware. i did /not/ you use your regex because with in.identd on either slack or open bsd if you send it any number over 2147483647 it sends that back, so I also do that. I think i got the daemonizing right, but am not sure.
i have thought of learning python, but i've been busy and am currently learning java. it's on my list, next to php.
anyway heres the new:
#!/usr/bin/perl -W
use strict;
use IO::Socket;
use IO::Select;
use POSIX qw(setsid);
sub daemonize();
my @user = ('bob', 'fred', 'user', 'sam', 'sally', 'gesus', 'jesus', 'christ', 'krist', 'god', 'jod', 'tod', 'rod', 'bill', '
billie', 'william', 'sarah', 'nobody', 'david', 'molly', 'chris', 'andrew', 'ryan', 'foo', 'bar', 'fu', 'baz', 'linus', 'alex
', 'elmo'); #possible users to show for using the port, it's random, put as many as you like.
my $identd = IO::Socket::INET->new(
Proto => 'tcp',
LocalPort => 1130,
Listen => 10,
Reuse => 1) or die $!;
my $select = IO::Select->new($identd);
my $newuid;
($newuid = $ARGV[0]) or
($newuid = "nobody");
if($newuid !~ /^\d*$/) {
($_,$_,$newuid) = getpwnam($newuid);
}
($< = $> = $newuid) or die "Could not set UID\n";
srand(time ^ $$);
daemonize();
while(my @ready = $select->can_read) {
foreach my $sock (@ready) {
if($sock == $identd) {
# we have a new connection
my $client = $identd->accept;
$select->add($client);
} else {
my $line = <$sock>;
chomp $line;
my (@port) = $line =~ /^(-?\d*)\s*,\s*(-?\d*)/;
my $invalid = 0;
sub daemonize() {
return;
my $pid;
chdir '/';
umask 0;
open STDIN , "</dev/null" or die "Could not open /dev/null for read: $!";
open STDOUT, ">/dev/null" or die "Could not open /dev/null for write: $!";
open STDERR, ">/dev/null" or die "Could not open /dev/null for write: $!";
defined($pid = fork()) or die "Could not fork: $!";
exit if $pid;
setsid or die "Could not start new session: $!";
}
Neurotica
04-02-2001, 06:12 PM
A message was sent to abuse@verio.net regarding your slanderous and false webpage.
If you do not remove the FALSE information and any references to me I will peruse legal action.
I am not kidding, and I am not female, and you will find that out in court if you dont comply.
--Jennifer Zynn
Algemon
04-03-2001, 01:16 AM
jemfinch,
You are totally right - I don't know squat about perl or python - but I hope to learn some soon as I will be beginning a Masters of IT soon at Uni.
Your script seems very cool. One of the reasons I was doing without identd was for fear of everyone being able to figure something out about my system. I didn't understand it so I didn't install it ;)
Now, am I correct in assuming the following:
1. That your script is a total identd server?
2. If I want to be able to send email directly through say exim on my machine (rather than through Netscape mail relaying it through my ISPs mailserver), I will need an identd server?
And lastly, will there be any problems with giving false responses for the user from identd in terms of sending mail?
Thanks again. This is very educational. :)
[ 03 April 2001: Message edited by: Algemon ]
jemfinch
04-04-2001, 09:33 PM
Originally posted by Algemon:
Your script seems very cool.
Thanks :)
Now, am I correct in assuming the following:
1. That your script is a total identd
server?
Yep.
2. If I want to be able to send email directly through say exim on my machine (rather than through Netscape mail relaying it through my ISPs mailserver), I will need an identd server?
You don't need one, but it'll speed up mail delivery, since sendmail delays if it receives a not-good response (I can't find any more specific information on it, but rest assured, you won't have problems)
And lastly, will there be any problems with giving false responses for the user from identd in terms of sending mail?
Shouldn't be. I ran a spoofing identd (one I got from someone else, that I wrote this to replace since the other one was spaghetti code and I didn't like that I couldn't audit the source, and that it was written in C, which can easily have buffer overflows.) and had no problems sending mail at all.
Jeremy
Algemon
04-05-2001, 02:50 AM
Thank you so much jemfinch for your very curtious and informative response. Your program is very cool :cool: and I am going to get it working tomorrow when I have a chance. It answers the two reasons why I didn't install identd when I put debian on.
I can't wait until I know some python so I can actually understand it. :D
Thanks muchly :)
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.