Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Solaris telnet/rlogin cont.; Timezones; DNS queries

Published: 2005-03-27
Last Updated: 2005-03-27 23:55:30 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Happy Easter!

Solaris telnet/rlogin cont.



Regarding the telnet and rlogin attacks on Solaris systems, a reader mentioned it might be related to
http://www.kb.cert.org/vuls/id/569272
(dated 2001). Also he mentioned he saw outgoing packets from a rootkit. We're looking for confirmations and we're still looking for the malware itself.

As a precaution you might want to check if your Solaris boxes are up to date on security patches.

Also one should really consider not to expose telnet and the "r" protocols, and replace them with e.g. ssh which supports similar functionality with less risks due to being much less trusting of nature.

Timezones a big mess?



Many of us handlers don't like timezones all that much. Proof of that could well be that the shift changes we do as a handler of the day (HOD) are at 0:00 UTC.
But the reason for you to be concerned by timezones is not that our shifts end then. On a day like today, part of the world switched to daylight saving time. Europe (and probably a bit more) skipped from 2AM to 3AM local time last night.
Modern OSes can handle those changes, but your logfile analysis becomes a lot harder. E.g. Something that went on from 1:59 till 3:01 only lasted 2 minutes, not a bit more than an hour.
Worse when it switches in the other direction, then there's 2 times in one night all the moments between 2am and 3am. Making it nearly impossible to calculate anything with those timestamps alone.
Next week most of the US will switch (except Arizona), so perhaps it's time to consider putting your security logs in UTC or GMT if you haven't done so over the years. It is a lot easier to exchange notes on the Internet if you do.

DNS queries



Andreas wrote in to ask about continuous traffic to the root nameservers.

As such traffic to root nameservers ([A-M].ROOT-SERVERS.NET) isn't an immediate reason for concern, they do have an important reason for being around.

It should start to worry you if the traffic originates from machines not being a DNS server themselves, as they should ask questions to whatever server they're given as a cache.

It should become reason for serious concern if you see traffic on a high rate toward these servers as it means you machine is most likely participating in some denial-of-service (DoS) against these servers. This can be done through some malware or by your machine being part of a botnet.

Figuring out what is going on probably will trigger a question to look at the packets being exchanged with the servers.

If any of you see an increase let us know, perhaps there's a trend.

--

Swa Frantzen
Keywords:
0 comment(s)
Diary Archives