Re: Scan of on port 5232

[Dino Amato <slayer67 () APK NET>]

Yeah if you disable DGL, you wont be able to run X remotely, but the box
will still function.
So I would disable dgl in the inetd.conf unless its a workstation. This is
an SGI thing.

What OS were you running? Object Server is what sounds important here.
I believe this was fixed 6.5x. Are you running 5.3 or 6.2 ?


Thanks
Dino Amato

----- Original Message -----
From: "Jens Hektor" <hektor () RZ RWTH-AACHEN DE>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, September 02, 2000 2:26 AM
Subject: Re: Scan of on port 5232


> Hello,
>
> > We were on the receiving end of a scan on port
> > 5232 the other night. I
>
> now we had also a scan on port 5232 (SGI
> Distributed Graphics).
>
> Two machines were cracked, a trojan ssh
> listening on port 13000 was installed.
>
> A bit unclear is which service was used to
> breakin.
>
> The recent telnetd feature is unlikely in the one
> case I have studied because this machine had
> wrappers installed and the logs indicate
> refused connects.
>
> The attacker re-configured
> this machine not to offer objectserver, autofs
> and pcnfsd so it most likely that one of these
> was used.
>
> Bye, Jens Hektor