SUMMARY: Strange Xaudio Problem

From: Rodney Wines (Rodney.Wines@ahqps.alcatel.fr)
Date: Tue Mar 14 2000 - 06:43:00 CST


I got several helpful responses to my question, and thanks to all of you.

----- Original Question -----
> As far as I know, we're doing nothing with X audio. However, on one of our
> Solaris systems:
>
> SunOS nsfwsd 5.6 Generic_105181-17 sun4u sparc SUNW,Ultra-250
>
> I'm getting messages similar to the following every few minutes.
>
> Mar 13 17:55:36 nsfwsd inetd[173]: /usr/openwin/bin/Xaserver: Hangup
> Mar 13 17:59:13 nsfwsd last message repeated 238 times
>
> I have removed "xaudio" from inetd.conf, and the messages have stopped.
> There is not an "Xaserver" executable on the system, so I do not know why
> anybody would be trying a connection. Is there any way to figure out where
> these connections are coming from?

As for why anybody would be trying a connection, the consensus seemed to be
that someone was doing a port scan and/or trying to hack my system. Mark
Bergman said it best, "The presence of xaudio in inetd.conf is a known
bug (http://oliver.efri.hr/~crv/security/bugs/SunOS/xaserver.html), and
repeatedly attempting to connect to the Xaserver can cause inetd to loop,
running the machine out of memory. In addition, there are a number of Xlib
vulnerabilities that someone may be trying to exploit in Xaserver."

So, removing "xaudio" from inetd.conf was, as it turns out, the recommended
solution.

As for who was doing this to me, there were several suggestions. The first
was from Jeff Kennedy, "I don't know if you can track the connection now but
if you run inetd with the '-t' option it will log all tcp connections to the
server. This may help with future issues but not this one I'm afraid." So,
I now run "inetd -st". Now, I'm getting:

Mar 14 12:43:11 nsfwsd inetd[21337]: fs/tcp: bind: Address already in use
Mar 14 12:53:11 nsfwsd inetd[21337]: fs/tcp: bind: Address already in use
Mar 14 13:03:11 nsfwsd inetd[21337]: fs/tcp: bind: Address already in use
Mar 14 13:13:11 nsfwsd inetd[21337]: fs/tcp: bind: Address already in use
Mar 14 13:23:11 nsfwsd inetd[21337]: fs/tcp: bind: Address already in use

It would appear that somebody is doing something else stupid, so I'll have to
track this down as well ...

It was also suggested that I use TCP wrappers. As it turns out, I was
installing them when I found the problem. Michael Sullivan also said, "Get
something like Klaxon, Courtney or Gabriel to watch for these sort of network
probes." I've heard of Gabriel, but not the other two. Such a tool sounds
like a good idea.

Michael also mentioned a "fake port responder" in TCP wrappers. I'd never
heard of it before, but I'll definately be having a look at this.

Many thanks to everyone who replied.

Rodney



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:04 CDT