[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: Hack attempt? (fwd)
- Subject: Re: Hack attempt? (fwd)
- Date: Tue, 23 Oct 2001 14:51:22 -0600 (MDT)
Hello,
Portmapper is suggested..not required. At least for most platforms.
We have had conflicting tests on the necessity of portmapper across
operating systems. If port 388 is not open for TCP/IP LDM use the next
step is to try and find the LDM program (300029) and it will access port
111 (portmapper) to try and find the program. Theoretically, if 388 is
open, it will go no further and portmapper would not be required.
-Jeff
____________________________ _____________________
Jeff Weber address@hidden
Unidata Support PH:303-497-8676
NWS-COMET Case Study Library FX:303-497-8690
University Corp for Atmospheric Research 3300 Mitchell Ln
http://www.unidata.ucar.edu/staff/jweber Boulder,Co 80307-3000
________________________________________ ______________________
On Tue, 23 Oct 2001, Doug Hunt wrote:
> Ryan: I believe that LDM uses sunrpc. I know it requires the
> portmapper.
>
> Regards,
>
> Doug Hunt
>
> "Snyder, Ryan" wrote:
> >
> > OK, if LDM is the only protocol it uses, why is the machine at UCAR trying
> > to connect via a sunrpc port [random ports in the 3600 range]?
> >
> > -Ryan
> >
> > -----Original Message-----
> > From: Doug Hunt [mailto:address@hidden]
> > Sent: Tuesday, October 23, 2001 11:20 AM
> > To: Snyder, Ryan
> > Cc: Myron McCallum
> > Subject: Re: Hack attempt? (fwd)
> >
> > Ryan: I am unaware of any exploits that take advantage of these ports
> > being open, but of course as with all internet services it cannot be
> > ruled out. Many other universities leave these ports open to allow LDM
> > traffic though so I doubt it will be a problem.
> >
> > As to pushing vs. pulling the data, I believe that the two-way channel
> > must be open for LDM to work. If you would permit those packets in,
> > your machine would then 'push' the data to us.
> >
> > Regards,
> >
> > Doug Hunt
> >
> > "Snyder, Ryan" wrote:
> > >
> > > If we allow this through our firewall, does this pose any security risks
> > to
> > > the machine her on our campus? Are there any security issues with the LDM
> > > protocol?
> > >
> > > Can the data be pushed to UCAR?
> > >
> > > -Ryan
> > >
> > > -----Original Message-----
> > > From: Doug Hunt [mailto:address@hidden]
> > > Sent: Tuesday, October 23, 2001 10:53 AM
> > > To: Snyder, Ryan
> > > Cc: Greg Woods; address@hidden; address@hidden; Teresa Van Hove
> > > Subject: Re: Hack attempt? (fwd)
> > >
> > > Ryan: I am the systems admin in charge of the Suominet project and
> > > the machine 128.117.29.216 (suomildm1.cosmic.ucar.edu). Suominet is a
> > > collection of GPS recievers and computers at various universities which
> > > are managed by UCAR for the collection of atmospheric data.
> > >
> > > Your machine (129.138.88.80, souminet.nmt.edu) is in our tables as one
> > > of our Suominet client machines. This means that we expect that this
> > > machine is a unidata LDM client that should be giving us GPS data via
> > > the LDM system.
> > > I can't tell for sure, but the log snippet you gave seems to be normal
> > > LDM traffic.
> > >
> > > The name your machine resolves to (suominet.nmt.edu) seems to indicate
> > > that you are part of Suominet. The log you show seems to be from a
> > > firewall? I don't believe we have been getting data from your machine.
> > > Perhaps your firewall has been rejecting our attempts to collect your
> > > data. If this is so, we would like to see these data! Perhaps your
> > > firewall restrictions could be eased to permit this.
> > >
> > > Regards,
> > >
> > > Doug Hunt
> > >
> > > Greg Woods wrote:
> > > >
> > > > Is this someone with whom you are attempting to exchange LDM data
> > > > who doesn't know they are supposed to be doing this, or do you
> > > > have a compromised machine?
> > > >
> > > > --Greg
> > > >
> > > > Forwarded message:
> > > > >From address@hidden Tue Oct 23 07:57:36 2001
> > > > Message-ID: <address@hidden>
> > > > From: "Snyder, Ryan" <address@hidden>
> > > > To: "'address@hidden'" <address@hidden>
> > > > Subject: Hack attempt?
> > > > Date: Tue, 23 Oct 2001 07:59:09 -0600
> > > > MIME-Version: 1.0
> > > > X-Mailer: Internet Mail Service (5.5.2653.19)
> > > > Content-Type: text/plain;
> > > > charset="iso-8859-1"
> > > > X-Filter: mailagent [version 3.0 PL54] for address@hidden
> > > >
> > > > We are receiving a lot of attempts from 128.117.29.216 to contact a
> > > machine
> > > > on our network on strange ports.
> > > >
> > > > Here are a sample of my logs. They come in groups of three about every
> > > > three to four minutes. I have logs going back to the end of September
> > > with
> > > > this data.
> > > >
> > > > "12661" "3Oct2001" "22:34:08" "eth0" "log" "drop" "unidata-ldm"
> > > > "128.117.29.216" "129.138.88.80"
> > > > "13167" "3Oct2001" "22:36:08" "eth0" "log" "drop" "sunrpc"
> > > > "128.117.29.216" "129.138.88.80"
> > > > "13335" "3Oct2001" "22:37:03" "eth0" "log" "drop" "unidata-ldm"
> > > > "128.117.29.216" "129.138.88.80"
> > >
> > > --
> > > address@hidden
> > > Software Engineer III, Sometimes Sysadmin
> > > UCAR - COSMIC, Tel. (303) 497-2611
> >
> > --
> > address@hidden
> > Software Engineer III, Sometimes Sysadmin
> > UCAR - COSMIC, Tel. (303) 497-2611
>
> --
> address@hidden
> Software Engineer III, Sometimes Sysadmin
> UCAR - COSMIC, Tel. (303) 497-2611
>
