Home arrow Site Administration arrow Page 5 - Webserver Security (Part I)

rpcinfo query to www.example.server - Administration

This first article in a two-part series deals with tools to find security holes in webservers and workstations. Some of the topics covered are: port scanning, finding NFS security holes, and using lsof.

TABLE OF CONTENTS:
  1. Webserver Security (Part I)
  2. The server offers services it was not intended to
  3. Dumping a zone using nslookup
  4. Other Helpful Tools
  5. rpcinfo query to www.example.server
  6. Remote SNMP queries
By: Kristian Kohntopp
Rating: starstarstarstarstar / 2
April 19, 2000

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement
Using rpcinfo and showmount (Linux: also kshowmount in some installations) you may query which services the sunrpc service of your machine offers. If NFS is running, it is possible to get a list of exported filesystems from the server.
# rpcinfo -p www.example.server
program vers proto   port
100000    4   tcp    111  portmapper
100000    3   tcp    111  portmapper
100000    2   tcp    111  portmapper
100000    4   udp    111  portmapper
100000    3   udp    111  portmapper
100000    2   udp    111  portmapper
As can be seen, the sunrpc service of www.example.server is talking to external machines like ours. This is unnecessary and can be blocked by installing a rpcbind program with access control or by configuring the firewall.

Because the NFS defaults are as braindead as the behaviour of NFS in case of syntax errors in the configuration file, it is a very common error to export filesystems completely unprotected and world writeable. Here a particularly severe case:
# /usr/sbin/kshowmount -e center2.sample-university.net
Export list for center2.sample-university.net:
/usr/lib/cobol       (everyone)
/usr/sys/inst.images (everyone)
/stadtinf            (everyone)
/var/spool/mail      (everyone)
/usr/lpp/info        (everyone)
/usr/local           (everyone)
/pd-software         (everyone)
/u1                  (everyone)
/user                (everyone)
/fix                 (everyone)
/u                   (everyone)
/ora                 rzws01
/install             (everyone)
/ora-client          192.168.15.20
All directories listed as "everyone" are wide open. This includes "/var/spool/mail", containing life mail from several hundred users as well their homes under "/u" and "/u1". Also writeable are "/usr/local" and "/usr/lib/cobol", making is very easy to install trojans. This system can be taken by anyone without noticeable resistance. By manipulating software under "/install", you will probably subvert additional clients produced from the images stored in this tree. This particular system will make a fine base to trade warez and is an ideal system to launch attacks against other sites. Does their insurance company cover the damages which will follow? Does yours?

 
 
>>> More Site Administration Articles          >>> More By Kristian Kohntopp
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SITE ADMINISTRATION ARTICLES

- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: