[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Port 33270 and Trinity

To: suse-security@xxxxxxxx
Subject: Re: [suse-security] Port 33270 and Trinity
From: GertJan Spoelman <nobody@xxxxxxxxxxxxxxxxx>
Date: Thu, 8 May 2003 08:55:54 +0200
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Thu, 08 May 2003 08:56:27 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <200305072231.10861.pkozlenko@xxxxxxxxxx>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <Pine.LNX.4.44.0305071229470.3750-100000@xxxxxxxxxxxxxxxxxxxxx> <200305080058.51322@xxxxxx> <200305072231.10861.pkozlenko@xxxxxxxxxx>
User-agent: KMail/1.5.1

On Thursday 08 May 2003 04:31, Paul Kozlenko wrote:
> On Wednesday 07 May 2003 18:58, GertJan Spoelman wrote:
> > On Thursday 08 May 2003 00:12, Paul Kozlenko wrote:
> > > FWIW
> > > netstat -patn|grep 33270
> > > gives me:
> > >
> > > Proto Recv-Q Send-Q  Local Address  Foreign Address  State
> > > PID/Program name
> > > tcp              0            0  0.0.0.0:33270   0.0.0.0:*
> > > LISTEN       -
> > > (I added the headers in for clarity)
> >
> > You're probably running a kernel which has the fix for the ptrace hole.
> > The downside of that fix was that even root doesn't seem to have the
> > right to show the information for all processes anymore, for example if I
> > look at nfs which uses port 2049 I see the same, there is no PID or
> > Program name shown for that port.
> > On my systems I also see such lines for high ports, I don't know which
> > process uses them, but you should be able to find that out by shutting
> > them down one by one and watch when that port disappears.
>
> My kernel version is Linux version 2.4.19-4GB (SuSE 8.1 Professional)
> How do I find out if this has the "ptrace hole" fix?

Check the changelog of your kernel package, the first entry here says:
- fix ptrace security hole
you can extract the changelog by doing:
   rpm -q --changelog <name_of_installed_kernel_package>

You probably have a k_deflt kernel rpm package installed, the exact name and 
version you can find by: rpm -qa | grep k_deflt
The latest which I have is k_deflt-2.4.19-274 and that has the fix.

On Thursday 08 May 2003 04:41, Paul Kozlenko wrote:
> More info (... reminder to self, always check log files ....)
>
> /var/log/warn contains a line:
> May  7 22:00:07 machinename kernel: lockd: connect from unprivileged port:
> 172.20.43.21:52353
>
> For each attempted connect.
> This is a good thing that this is detected. YES?
> Does it mean that I am safe though?

I don't think so, it's only detected and logged.
-- 

    GertJan
    
Email address is invalid, so don't reply directly, I'm on the list.


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re: [suse-security] Port 33270 and Trinity
  - From: Paul Kozlenko

References:
- Re: [suse-security] Port 33270 and Trinity
  - From: Armin Schoech
- Re: [suse-security] Port 33270 and Trinity
  - From: GertJan Spoelman
- Re: [suse-security] Port 33270 and Trinity
  - From: Paul Kozlenko

Prev by Date: Re: [suse-security] Port 33270 and Trinity
Next by Date: [suse-security] Source MAC Address DoS
Previous by thread: Re: [suse-security] Port 33270 and Trinity
Next by thread: Re: [suse-security] Port 33270 and Trinity
Index(es):
- Date
- Thread