I've been running Solaris 2.6 servers for years now and haven't done
any patches for at least 4 years because the servers have been totally
stable. In the last week however, in.telnet and in.ftp has died sort
of randomly on all 5 of my servers...and when I reboot telnet and ftp
run for about 10 minutes, then die again sort of randomly. Seems to
be sort of random. All of my 2.6 servers are doing this now and a
reboot fixes the problem for only a short time.
There's nothing in the messages or error logs and each of the 5
systems are running different apps, so nothing common I can think
of.
Anyone have a clue where I can look for this?
If you have any ideas, please write to tdenham@airnetcom.com.
Thanks in advance!
|
|
0
|
|
|
|
Reply
|
 tdenham735 (37)
|
2/28/2007 11:17:36 PM |
|
On Feb 28, 6:17 pm, tdenham...@gmail.com wrote:
> I've been running Solaris 2.6 servers for years now and haven't done
> any patches for at least 4 years because the servers have been totally
> stable. In the last week however, in.telnet and in.ftp has died sort
> of randomly on all 5 of my servers...and when I reboot telnet and ftp
> run for about 10 minutes, then die again sort of randomly. Seems to
> be sort of random. All of my 2.6 servers are doing this now and a
> reboot fixes the problem for only a short time.
>
> There's nothing in the messages or error logs and each of the 5
> systems are running different apps, so nothing common I can think
> of.
>
> Anyone have a clue where I can look for this?
>
> If you have any ideas, please write to tden...@airnetcom.com.
>
> Thanks in advance!
I probably should mention that I have several other Unix servers
running Solaris 2.7 and 2.8, however none of those have the problem.
It's very suspicious, however nothing malicious has happened.
I've also rebooted and watch the system for a while while running
netstat in another window, but I never see any connections come into
the system or anyone login.
It's really odd because there is simply no trace of what could be
killing telnet and ftp...
Anyway...thanks again for taking time to read this and keeping my
fingers crossed for an answer.... Please copy any replies to
tdenham@airnetcom.com.
|
|
|
0
|
|
|
|
Reply
|
 tdenham735
|
2/28/2007 11:31:30 PM
|
|
On Feb 28, 3:31 pm, tdenham...@gmail.com wrote:
> On Feb 28, 6:17 pm, tdenham...@gmail.com wrote:
>
>
>
> > I've been running Solaris 2.6 servers for years now and haven't done
> > any patches for at least 4 years because the servers have been totally
> > stable. In the last week however, in.telnet and in.ftp has died sort
> > of randomly on all 5 of my servers...and when I reboot telnet and ftp
> > run for about 10 minutes, then die again sort of randomly. Seems to
> > be sort of random. All of my 2.6 servers are doing this now and a
> > reboot fixes the problem for only a short time.
>
> > There's nothing in the messages or error logs and each of the 5
> > systems are running different apps, so nothing common I can think
> > of.
>
> > Anyone have a clue where I can look for this?
>
> > If you have any ideas, please write to tden...@airnetcom.com.
>
> > Thanks in advance!
>
> I probably should mention that I have several other Unix servers
> running Solaris 2.7 and 2.8, however none of those have the problem.
> It's very suspicious, however nothing malicious has happened.
>
> I've also rebooted and watch the system for a while while running
> netstat in another window, but I never see any connections come into
> the system or anyone login.
>
> It's really odd because there is simply no trace of what could be
> killing telnet and ftp...
>
> Anyway...thanks again for taking time to read this and keeping my
> fingers crossed for an answer.... Please copy any replies to
> tden...@airnetcom.com.
Well -- if you suspect you've been hacked, then "netstat" is likely
already compromised.
The first thing a hacker does upon successful access is to replace
various critical programs that might otherwise disclose his
clandestine activities. "netstat", "ps", "ls", "strings", etc. are
not be trusted implicitly.
So if you suspect foul play, you should probably check some of the
security oriented newsgroups.
Hope that's helpful.
|
|
|
0
|
|
|
|
Reply
|
ThanksButNo
|
2/28/2007 11:37:55 PM
|
|
On Feb 28, 6:37 pm, "ThanksButNo" <no.no.tha...@gmail.com> wrote:
> On Feb 28, 3:31 pm, tdenham...@gmail.com wrote:
>
>
>
> > On Feb 28, 6:17 pm, tdenham...@gmail.com wrote:
>
> > > I've been running Solaris 2.6 servers for years now and haven't done
> > > any patches for at least 4 years because the servers have been totally
> > > stable. In the last week however, in.telnet and in.ftp has died sort
> > > of randomly on all 5 of my servers...and when I reboot telnet and ftp
> > > run for about 10 minutes, then die again sort of randomly. Seems to
> > > be sort of random. All of my 2.6 servers are doing this now and a
> > > reboot fixes the problem for only a short time.
>
> > > There's nothing in the messages or error logs and each of the 5
> > > systems are running different apps, so nothing common I can think
> > > of.
>
> > > Anyone have a clue where I can look for this?
>
> > > If you have any ideas, please write to tden...@airnetcom.com.
>
> > > Thanks in advance!
>
> > I probably should mention that I have several other Unix servers
> > running Solaris 2.7 and 2.8, however none of those have the problem.
> > It's very suspicious, however nothing malicious has happened.
>
> > I've also rebooted and watch the system for a while while running
> > netstat in another window, but I never see any connections come into
> > the system or anyone login.
>
> > It's really odd because there is simply no trace of what could be
> > killing telnet and ftp...
>
> > Anyway...thanks again for taking time to read this and keeping my
> > fingers crossed for an answer.... Please copy any replies to
> > tden...@airnetcom.com.
>
> Well -- if you suspect you've been hacked, then "netstat" is likely
> already compromised.
>
> The first thing a hacker does upon successful access is to replace
> various critical programs that might otherwise disclose his
> clandestine activities. "netstat", "ps", "ls", "strings", etc. are
> not be trusted implicitly.
>
> So if you suspect foul play, you should probably check some of the
> security oriented newsgroups.
>
> Hope that's helpful.
Thanks for the advice...I'm just a little suspicious, but I don't see
why a hacker would just do something so limited, but the security
forums are a great idea...I'll keep looking both forums:)
|
|
|
0
|
|
|
|
Reply
|
tdenham735
|
2/28/2007 11:56:07 PM
|
|
On Feb 28, 3:56 pm, tdenham...@gmail.com wrote:
> On Feb 28, 6:37 pm, "ThanksButNo" <no.no.tha...@gmail.com> wrote:
>
>
>
> > On Feb 28, 3:31 pm, tdenham...@gmail.com wrote:
>
> > > On Feb 28, 6:17 pm, tdenham...@gmail.com wrote:
>
> > > > I've been running Solaris 2.6 servers for years now and haven't done
> > > > any patches for at least 4 years because the servers have been totally
> > > > stable. In the last week however, in.telnet and in.ftp has died sort
> > > > of randomly on all 5 of my servers...and when I reboot telnet and ftp
> > > > run for about 10 minutes, then die again sort of randomly. Seems to
> > > > be sort of random. All of my 2.6 servers are doing this now and a
> > > > reboot fixes the problem for only a short time.
>
> > > > There's nothing in the messages or error logs and each of the 5
> > > > systems are running different apps, so nothing common I can think
> > > > of.
>
> > > > Anyone have a clue where I can look for this?
>
> > > > If you have any ideas, please write to tden...@airnetcom.com.
>
> > > > Thanks in advance!
>
> > > I probably should mention that I have several other Unix servers
> > > running Solaris 2.7 and 2.8, however none of those have the problem.
> > > It's very suspicious, however nothing malicious has happened.
>
> > > I've also rebooted and watch the system for a while while running
> > > netstat in another window, but I never see any connections come into
> > > the system or anyone login.
>
> > > It's really odd because there is simply no trace of what could be
> > > killing telnet and ftp...
>
> > > Anyway...thanks again for taking time to read this and keeping my
> > > fingers crossed for an answer.... Please copy any replies to
> > > tden...@airnetcom.com.
>
> > Well -- if you suspect you've been hacked, then "netstat" is likely
> > already compromised.
>
> > The first thing a hacker does upon successful access is to replace
> > various critical programs that might otherwise disclose his
> > clandestine activities. "netstat", "ps", "ls", "strings", etc. are
> > not be trusted implicitly.
>
> > So if you suspect foul play, you should probably check some of the
> > security oriented newsgroups.
>
> > Hope that's helpful.
>
> Thanks for the advice...I'm just a little suspicious, but I don't see
> why a hacker would just do something so limited, but the security
> forums are a great idea...I'll keep looking both forums:)
It depends on the hacker -- when I go over my httpd logs, I'll
occasionally find errors where the connecting person attempted to run
"C:\WINDOWS\CMD". Well, that's stupid, even if it was a windows
machine, that old hack has been fixed forever.
There are "root-kits" freely available for download, and the hacker
doesn't need to have any knowledge whatsoever. He just runs the
sucker against a likely target, and if it finds a vulnerability, it
exploits it automatically.
Our system was hacked with one of those a couple of times, and it was
fairly clear that there was nothing else wrong with the system.
Apparently, once the guy got in, he didn't know what else to do with
it, and abandoned it. At least, as far as I could tell. Maybe he
just left upon not finding any pix of naked ladies or credit card
numbers.
Another time we got hacked, and the guy just set himself up a remote
IPC server. I guess he needed something to bounce around other
system's firewalls.
Don't believe the old hype about how "intelligent" hackers are -- some
of them are just garden variety morons, like your typical thug who
didn't invent the door shim, but learned how to use one.
Best of luck!
|
|
|
0
|
|
|
|
Reply
|
ThanksButNo
|
3/1/2007 5:33:39 AM
|
|
On Feb 28, 11:56 pm, tdenham...@gmail.com wrote:
>
> Thanks for the advice...I'm just a little suspicious, but I don't see
> why a hacker would just do something so limited, but the security
> forums are a great idea...I'll keep looking both forums:)
What you're *noticing* is limited. That doesn't necessarily mean that
what they're *doing* is limited. telnetd falling over every once in a
while might be some tiny side effect of who-knows-what.
--tim
|
|
|
0
|
|
|
|
Reply
|
Tim
|
3/1/2007 12:30:52 PM
|
|
On Feb 28, 11:31 pm, tdenham...@gmail.com wrote:
> I've also rebooted and watch the system for a while while running
> netstat in another window, but I never see any connections come into
> the system or anyone login.
I'd use snoop not netstat - you want to see anything aimed at telnet
or ftp ports, not just open connections.
|
|
|
0
|
|
|
|
Reply
|
Tim
|
3/1/2007 12:34:51 PM
|
|
On Mar 1, 7:34 am, "Tim Bradshaw" <tfb+goo...@tfeb.org> wrote:
> On Feb 28, 11:31 pm, tdenham...@gmail.com wrote:
>
> > I've also rebooted and watch the system for a while while running
> > netstat in another window, but I never see any connections come into
> > the system or anyone login.
>
> I'd use snoop not netstat - you want to see anything aimed at telnet
> or ftp ports, not just open connections.
Thanks for all the replies...this turned out to be what appears as a
worm coming from a single PC on our LAN. Fortunately snoop paid off
and found the culprit! Yay!
|
|
|
0
|
|
|
|
Reply
|
tdenham735
|
3/1/2007 2:40:57 PM
|
|
tdenham735@gmail.com wrote:
> stable. In the last week however, in.telnet and in.ftp has died sort
> of randomly on all 5 of my servers...and when I reboot telnet and ftp
How do you mean, died? Are these services being fired out of inetd?
Does the port stop responding, or existing connections drop? Do they drop
a core file?
--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/
|
|
|
0
|
|
|
|
Reply
|
hume
|
3/1/2007 3:00:56 PM
|
|
On Mar 1, 10:00 am, hume.spamfil...@bofh.ca wrote:
> tdenham...@gmail.com wrote:
> > stable. In the last week however, in.telnet and in.ftp has died sort
> > of randomly on all 5 of my servers...and when I reboot telnet and ftp
>
> How do you mean, died? Are these services being fired out of inetd?
> Does the port stop responding, or existing connections drop? Do they drop
> a core file?
>
> --
> Brandon Hume - hume -> BOFH.Ca,http://WWW.BOFH.Ca/
They just die...or I should say quit responding...basically you can
still telnet, but the telnet session hangs. I even tried to HUP inetd
hoping it would help, but simply didn't work.
Turns out that what I thought was a worm however, wasn't a worm...it
was an obscure app that an engineer downloaded and ran on our
production network. I don't know how or why it affected ONLY Solaris
2.6...but it was very, very strange!
Let me know if you have any specific questions Brandon and I'll be
glad to try to answer:)
|
|
|
0
|
|
|
|
Reply
|
tdenham735
|
3/3/2007 9:58:10 PM
|
|
|
9 Replies
89 Views
(page loaded in 0.131 seconds)
Similiar Articles: need solaris 2.6 x86 for download, pls - comp.unix.solaris ...I need this version, can anyone please help me with some link, torrent, binaries, anything. Thanks in advance... ... Disksuite for 2.6 download from somewhere? - comp.unix.solaris ...I am not finding SUNWmd on any of my old 2.6 disks (some probably missing). Is it available for download somewhere? thanks, Hal ... ufsdump on remote tape drive. - comp.unix.solarisHi, I have three sun boxes A,B & C. Box A: solaris 2.6 Box B: solaris 9 Box C: solaris 9 The boxes A & B both have tape drives. Box A has an interna... Acrobat 5.1 (or 6) for Linux/Solaris - comp.text.pdfDoes anyone know when Adobe will ship an Acrobat Reader upgrade for Linux/Solaris? The current releases for Linux/Solaris (dated 7/03) do not suppor... Unable to detect external scsi disk - comp.unix.solarisHello folks, I've got an Ultra 10 running Solaris 2.6. Recently the boot disk died and required me to reinstall the OS etc. The system also had an ... Tar problem, large file - comp.unix.solarisHi, I'm trying to create tar within large file(also tar - over 2gb) on Solaris 2,6 and Solaris 8. uname -a SunOS drop200 5.6 Generic_105181-07 sun4... Remote CDE login - comp.unix.solarisI'm trying to do a remote CDE login from an Ultra 10 running Solaris 2.6 to a system running Solaris 8. However the screen just blanks on me and then... vmstat High Wait Queue - comp.unix.solarisHi all: Vital Stats, Sun 4500 with 6-400mhz cpus, 6GB ram, Solaris 2.6. Running Oracle Apps 11.5.5 on 8.1.7.1. getting consistently high numbers in... Unable to boot disk : FAST DATA Access MMU Miss - comp.sys.sun ...hello, I've juste installed Solaris 2.6 on my machine ultra 60. The probleme is that I can't boot the computer from the disk. I just wrote : boot (or ... How to force a socket to close ? - comp.unix.programmerHi everybody, I am working under Solaris 2.6 I developped an application which connect to the "External Company" network. In order to connect to ... Solaris (operating system) - Wikipedia, the free encyclopediaSolaris is a Unix operating system originally developed by Sun Microsystems. It superseded their earlier SunOS in 1993. Oracle Solaris, as it is now known, has been ... Performance and Tuning on the Solaris 2.6, 7, and 8 Operating ...This article covers how to approach performance concerns and address some common performance bottlenecks, introducing a number of concepts such as Intimate Shared ... 7/16/2012 7:38:47 PM
|
Search |
Post Question |
Groups |
Stream |
About |
Register
78 followers. 