Re: INGRESLOCK - Could it be someone trying to attack - Summary

From: Alan Kong <kkkong_at_ee.cuhk.edu.hk>
Date: Wed Sep 26 2007 - 21:56:42 EDT
Dear All,
Thank you for your advise and help:
-Casper (Casper.Dik@Sun.COM)
- joe_fletcher@btconnect.com
- Ric Anderson (ric@opus1.com)
- JayJay Florendo (arflorendo@gmail.com)

Summary:
1) "It's just a coincidence; the system has used port 1524 (ingreslock) 
to connect to your SPARC";

2)"There used to be a standard hack years ago against the ingreslock port on solaris. 
Thought it was well patched by now though.";

3)"Check /etc/inet/services (and make sure /etc/services is a symbolic
link to /etc/inet/services) for INGRESLOCK."

4) "Look at the source and dest IPs, If you don't recognize them, you may be under attack."

I agree that it was just a coincidence that port 1524 was used to connect to the Sparc. The Sun Sparc has up-to-date patch and nothing abnormal was observed for the last few days.

Regards
Alan

Alan Kong wrote:
> Dear Managers,
> The following was observed when I ran "snoop" on a Sun sparc workstation 
> runnning Solaris 8. I was connecting to the work station using ssh from 
> a PC at that moment:
>  1   0.00000 137.189.3.6 -> cus12.cuhk.edu.hk INGRESLOCK R port=22
>   2   0.00006 cus12.cuhk.edu.hk -> 137.189.3.6 INGRESLOCK C port=22
>   3   0.32806 137.189.3.6 -> cuees12.cuhk.edu.hk INGRESLOCK R port=22
>   4   0.53146 cus12.cuhk.edu.hk -> 137.189.3.6 INGRESLOCK C port=22
>   .....
> 194   0.00006 cus12.cuhk.edu.hk -> 137.189.3.6 INGRESLOCK C port=22 \203/n
> \305;=\f\357)?\320=\342z\4\342f\315rJ
>  
> I have searched on Googles and some mentioned "INGRESLOCK" indicated 
> someone tried to hack but it doesn't mean I have been exploited. Could 
> you please help to confirm that the machine was not exploited.
>
> Thank you.
>
> Regards
> Alan
> _______________________________________________
> sunmanagers mailing list
> sunmanagers@sunmanagers.org
> http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu Sep 27 17:36:47 2007

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:07 EST