Re: solaris lpd, KARMAPOLICE?

From: Ken K (kenat_private)
Date: Wed Aug 29 2001 - 13:22:22 PDT

Next message: Nick FitzGerald: "Re: CodeRed Snort Rules"

Previous message: H C: "Re: nbsession scans"
In reply to: Ricky Vludmore: "solaris lpd, KARMAPOLICE?"
Next in thread: Ricky Vludmore: "Re: solaris lpd, KARMAPOLICE?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Considering that there's an exploit big enough to drive a truck through 
for LPD on Solaris, you might want to check to see if the version that 
you have is vulnerable.  LPD is really bad to run on the net and the 
recent vulnerability could be your problem.

Hope you server was 1.) In a DMZ, 2.) Has tripwire and can tell you what 
changed.  Otherwise, I would be _very_ wary.

You should consider some kind of authenticated tunnel or such.  Maybe 
stunnel will work for you on a high to deflect some of the risk.

--Ken

Ricky Vludmore wrote:

>I have a SunOS 5.8 system with a printer attached to it (used to service print requests on my company's network). It's a fairly 
>busy printer. It's accessible via the Internet, with reason. 
>
>Yesterday I went to investigate why a large batch of jobs had 
>frozen. I discovered that they had been erased. Strange 
>considering that nobody else has access to this machine and 
>I haven't seen it happen before. I snooped around and noticed
>some very strange activity, namely what appeared to be signs
>of an intrusion- idle shell processes and other abnormalities.
>Not thinking, I pulled the plug :-(
>
>The only indication of an intrusion now is a log file that 
>shows someone requesting a print request to or from a 
>"KARMAPOLICE" printer/server which I don't recognize at 
>all. 
>    
>Ring any bells?
>
>
>
>------------------------------------------------------------
>This email was sent through the free email service at http://www.anonymous.to/
>To report abuse, please visit our website and click "Contact Us."
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick FitzGerald: "Re: CodeRed Snort Rules"
Previous message: H C: "Re: nbsession scans"
In reply to: Ricky Vludmore: "solaris lpd, KARMAPOLICE?"
Next in thread: Ricky Vludmore: "Re: solaris lpd, KARMAPOLICE?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 10:30:15 PDT