rpcinfo query to www.example.server - Administration
This first article in a two-part series deals with tools to find security holes in webservers and workstations. Some of the topics covered are: port scanning, finding NFS security holes, and using lsof.
Using rpcinfo and showmount (Linux: also kshowmount in some installations) you may query which services the sunrpc service of your machine offers. If NFS is running, it is possible to get a list of exported filesystems from the server.
# rpcinfo -p www.example.server
program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
As can be seen, the sunrpc service
of www.example.server is talking to external machines like ours. This is unnecessary and can be blocked by installing a rpcbind program with access control or by configuring the firewall.
Because the NFS defaults are as braindead as the behaviour of NFS in case of syntax errors in the configuration file, it is a very common error to export filesystems completely unprotected and world writeable. Here a particularly severe case:
All directories listed as "everyone" are
wide open. This includes "/var/spool/mail", containing life mail from several hundred users as well their homes under "/u" and "/u1". Also writeable are "/usr/local" and "/usr/lib/cobol", making is very easy to install trojans. This system can be taken by anyone without noticeable resistance. By manipulating software under "/install", you will probably subvert additional clients produced from the images stored in this tree. This particular system will make a fine base to trade warez and is an ideal system to launch attacks against other sites. Does their insurance company cover the damages which will follow? Does yours?