Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Portsentry not installed? Remote compromise?
« previous next »
Pages: [1]   Go Down

Portsentry not installed? Remote compromise?

  • 2 Replies
  • 1176 Views

Richard Emory

Portsentry not installed? Remote compromise?
« on: July 04, 2001, 07:01:44 AM »
I installed Portsentry and LogCheck
I get lots of Security Violations.
Today, things did not seem right so I did the following:

rpm -Uhv portsentry-1.0-14.src.rpm
portsentry                  ##################################################
[root@e-smith portsentry]# rpm -q port*
package portsentry-1.0-14.src.rpm is not installed
package portsentry-1.0.tar.gz is not installed
package portsentry-1.0.tar.gz.asc is not installed

Why does it say "not installed"?


[root@e-smith portsentry]# rpm -K port*
portsentry-1.0-14.src.rpm: md5 OK
portsentry-1.0.tar.gz: rpmReadSignature failed
portsentry-1.0.tar.gz.asc: rpmReadSignature failed

Is this bad?

[root@e-smith portsentry]# nmap -sS -O -P0 63.216.139.91

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on structuralsupport.net (63.216.139.91):
(The 1511 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                    
25/tcp     open        smtp                    
80/tcp     open        http                    
110/tcp    open        pop-3                  
113/tcp    open        auth                    
143/tcp    open        imap2                  
389/tcp    open        ldap                    
443/tcp    open        https                  
515/tcp    open        printer                
980/tcp    open        unknown                
3128/tcp   open        squid-http              
3306/tcp   open        mysql                  

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=1640572 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
[root@e-smith portsentry]#

Is my self-scan showing anything weird?
The following is additional information which may help.

[root@e-smith portsentry]# rpm -q nmap
nmap-2.53-1
[root@e-smith portsentry]# rpm -q telnet
telnet-0.17-7
[root@e-smith portsentry]# rpm -q e-smith
e-smith-4.2.0-02
[root@e-smith portsentry]# rpm -q e-smith*
package e-smith* is not installed
[root@e-smith portsentry]# rpm -q portsentry
portsentry-1.0-11
[root@e-smith portsentry]# rpm -q port*    
package portsentry-1.0-14.src.rpm is not installed
package portsentry-1.0.tar.gz is not installed
package portsentry-1.0.tar.gz.asc is not installed
[root@e-smith portsentry]# rpm -K portsentry
portsentry: open failed: No such file or directory
[root@e-smith portsentry]# ls
portsentry-1.0-14.src.rpm  portsentry-1.0.tar.gz  portsentry-1.0.tar.gz.asc
[root@e-smith portsentry]# rpm -K port*    
portsentry-1.0-14.src.rpm: md5 OK
portsentry-1.0.tar.gz: rpmReadSignature failed
portsentry-1.0.tar.gz.asc: rpmReadSignature failed
[root@e-smith portsentry]#


Since I get "not installed" AND "rpmReadSignature failed" has someone broken in and played with stuff?

I also need help understanding what these reports are:

Security Violations
=-=-=-=-=-=-=-=-=-=
Jul  3 19:19:52 e-smith kernel: Packet log: denylog DENY eth1 PROTO=6 209.9.193.78:2269 63.216.139.91:515 L=60 S=0x00 I=35186 F=0x4000 T=53 SYN (#1)
Jul  3 19:19:55 e-smith kernel: Packet log: denylog DENY eth1 PROTO=6 209.9.193.78:2269 63.216.139.91:515 L=60 S=0x00 I=36722 F=0x4000 T=53 SYN (#1)

Thanks
Richard Emory
jrejr@structuralsupport.net
Logged

Dan Brown

Re: Portsentry not installed? Remote compromise?
« Reply #1 on: July 04, 2001, 08:32:25 AM »
No, nobody's broken in and played with anything (at least, not on the basis of what you've shown)--all that's happening is that you don't know how to use RPM.  First, there's no point at all in installing a .src.rpm file on a stock (or anywhere near stock) e-smith system, as there are no compiler tools installed to build binaries.

When you're checking to see whether a package is installed (or what version is installed), you do "rpm -q [packagename]".  This part gets a little bit tricky, in that the correct name of an RPM file is generally packagename-version-release.architecture.rpm.  For example, with a package called portsentry, the file might be portsentry-1.0-11.i386.rpm.  If you do rpm -q portsentry, it'll return "portsentry-1.0-11".  If you do rpm -q portsentry-1.0-11.i386.rpm, you'll get "not installed", because there is no package by that name installed.  This is, I think, the source of a large part of your confusion.

The source of another large part of your confusion is that you're trying, for reasons unknown, to run rpm on files that aren't rpms.  There's a very good reason that rpm can't read a signature on your .tar.gz files--it's because they aren't rpms.

As to your other questions (in the future, it'd be a good idea to place separate subjects in separate posts, with reasonably descriptive subject lines): the nmap scan looks fairly normal.  I have no idea why you're querying telnet or nmap, or most anything else in your last series of rpm -q's, so I can't very well comment on the results.  However, if you're wanting to list all installed packages that contain "e-smith" in the name, the best way to do that is "rpm -qa | grep e-smith", not "rpm -q e-smith*" (which try to run RPM queries on any _filename_ in the current directory which begins with e-smith).

As to the "security violations", it looks like somebody from an SDSL account with cais.net tried to connect to your machine on port 515, but was (correctly) blocked by the e-smith packet filter rules.  I wouldn't think it's anything to worry about, but if it recurs often, a note with the log entries to abuse@cais.net might not be out of order.
Logged

Richard Emory

Re: Portsentry not installed? Remote compromise?
« Reply #2 on: July 04, 2001, 09:43:38 AM »
Thank you for your very informative response.
I type in :

[root@e-smith /]# rpm -q portsentry
portsentry-1.0-11

This means that I have portsentry installed.  Notice that I moved to a different sub-directory to run this.  So now I get a "clean" response.  So I learned how to better use rpm.

I querried telnet and nmap to compare the response from known good installed rpms.  I was trying to show the different responses I get.  I see that wildcards to not work as I assumed and I will grep the output from now on.

Thank you for answering the stuff about "security violations".  I get several of these a day and did not want to hassele a sys admin with trival stuff.  I included it with this question because if there was a break-in, I would have provided you with the necessary information to get a better grip on the situation.  I have seen too many posts where thay go back and forth asking for more information.  I figured the more the better.

BTW, is there a site that I can goto to get more information on what these messages mean?  And also on security.

Again, thank you sincerely for the help.
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Portsentry not installed? Remote compromise?