SUMMARY: SATAN - drives a poor Daemon mad

From: Jochen Bern (bern@penthesilea.uni-trier.de)
Date: Wed Jun 28 1995 - 07:14:02 CDT


Ooops, a little late ... I wrote:
> I ran it [SATAN] against my Hosts this Eve
> and observed that it made rpc.ttdbserverd on the scanned
> Host go wild and spam syslogd with the Messages:
> <Date&Host> rpc.ttdbserverd<PId>: refused connect from unknown
> <Date&Host> rpc.ttdbserverd<PId>: error: can't get client address: Socket is not connected
> Doing a kill -HUP to inetd cures the Problem. kill'ing any of
> the rpc.ttdbserverd's does not AFAICT.
> The first Line actually comes from the TCP Wrappers. Note the
> "unknown"; My Hosts are currently allowed to access each other's
> rpc.ttdbserverd. Probably one of SATAN's get-in-by-the-Backdoor
> Attempts.
> 1) What's that Daemon, anyway? (I RTFMed, which pointed me to
> ToolTalk, but ToolTalk Activities never produced a TCP Log
> for ttdbserverd on my Hosts so far.) Can I safely block it?
> 2) How do I prevent that looping Red Alert? Is there a patched
> Version of whatever-really-goes-wild?
> 3) Assumed that neither Blocking nor Patching are viable, what
> are the Implications of doing a kill -HUP to inetd in regular
> Intervals (like 20 Seconds)?

Weeeeell, apart from several Replies to the Effect of "where'd you
get SATAN / Perl 5.0", there was only one Response from John Hearns
<johnh@gerbil.umds.ac.uk> who thinks that the SATAN Docs recommend
turning off TCP Wrappers before running SATAN. I remember differently
(just try avoiding Finger Wars), plus, it's not an Option for healing
*other People's* SATAN Runs. (Which is why I haven't investigated
the Effect of newer SATAN Versions on this Issue, either.)

For the Time being, I've set up a procmail Rule to prevent another
153,000 Alert Mails Surprise:

# Destroy unwanted Email right away
# -- SATAN tends to make inetd on SunOS 4.x mad. Let *some* of the Mails
# pass (10 Seconds Window per Hour) to alert me
:0Di
* ^From: nobody
* ^Subject: ALERT-rpc.ttdbserverd-unknown
* !^Date: .*:00:0
/dev/null

(where the Subject is what TCP Wrapper Alert Mails on rpc.ttdbserverd
caused by SATAN look like under my TCP Wrapper Setup).

More Info still welcome.

Regards,
                                                                J. Bern

-- 
  /\  /""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""\
 /  \/ bern@uni-trier.de (7Bit,Size Limit!) | P.O. Box 1203 | Ham:  \/\
/ J. \ bern@ti.uni-trier.de (8Bit,SUN Att.) | D-54202 Trier | DD0KZ /  \
\Bern/ No Finger etc.; Use Mail (Subj. "##" for Autoreply List) and \  /
 \  /\ WWW. /\/
  \/  \____________________________________________________________/



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:28 CDT