Viruses, Trojans and Hackers III

Viruses, Trojans and Hackers III

This is the third of several security related articles. The intent of these articles is to present you with a fundamental understanding of the threats against your HP3000 and the impact these threats may have. Moreover, you will be able to converse intelligently with network and security administrators regarding the risks the HP3000 has on the Internet and Intranet. The previous articles focused on viruses and Trojans and how they affect the HP3000, and on the threat hackers pose. This article will explain the numerous network services that run on HP3000s.

A network service or “listener” is a program that listens on the network for incoming connections and performs a task. Denial of service attacks and hackers alike attempt to exploit bugs in these network services. As I explained in the first article in this series, the separation of code and data on MPE prevents the most serious exploits from causing any problem worse than a program abort.

SOCKINFO.NET.SYS is the utility that you should run to produce a list of listening network services. The opening screen in SOCKINFO produces a list of all currently connected sockets. After the initial display has completed, press letter “C” to present a record of listeners. The output will look something like this, showing for each listener the TCP port and its associate mnemonic, the PIN, the socket type (call or datagram), the protocol (TCP or UDP), the MPE user that is running the program, and the program name.

GLOBAL CALL/DATAGRAM SOCKET DISPLAY                                  12:00 pm

Port Addr     Pin T Prot User                       Program
-------------------------------------------------------------------------------
1570.arpavt   102 c tcp  (system process)           dsdad.net.sys
1542.rpm      102 c tcp  (system process)           dsdad.net.sys
1540.ptop     102 c tcp  (system process)           dsdad.net.sys
1538.rvt      102 c tcp  (system process)           dsdad.net.sys
1537.vt       102 c tcp  (system process)           dsdad.net.sys
1536.nft      102 c tcp  (system process)           dsdad.net.sys
1260.nloop    102 c tcp  (system process)           dsdad.net.sys
514.syslog    107 d udp  jsyslogd,mgr.syslog        syslogd.pub.syslog
162.snmptrp    80 d udp  (system process)           snmp.net.sys
161.snmp       80 d udp  (system process)           snmp.net.sys
139.smbp       79 c tcp  jinetd,manager.sys         inetd.net.sys
138           113 d udp  jinetd,manager.sys         nmbd20.samba.sys
137.nmbp       79 d udp  jinetd,manager.sys         inetd.net.sys
67.bootps      79 d udp  jinetd,manager.sys         inetd.net.sys
37.time        79 c tcp  jinetd,manager.sys         inetd.net.sys
37.time        79 d udp  jinetd,manager.sys         inetd.net.sys
23.telnet      79 c tcp  jinetd,manager.sys         inetd.net.sys
21.ftp         79 c tcp  jinetd,manager.sys         inetd.net.sys
13.daytime     79 c tcp  jinetd,manager.sys         inetd.net.sys
13.daytime     79 d udp  jinetd,manager.sys         inetd.net.sys
9.discard      79 c tcp  jinetd,manager.sys         inetd.net.sys
9.discard      79 d udp  jinetd,manager.sys         inetd.net.sys
-------------------------------------------------------------------------------
Totals: 34 sockets; 23 call sockets, 11 datagrams.

Below is a list of the most common network services (and their respective port number) that may be running on your HP3000. Your system may have other services that are not listed such as a custom network application provided by an application vendor. For instance, Ecometry users will see listeners for things like VisualMACS and Weborder.

ECHO (7) – Provides a port whereby a client can connect and send data to the host and the data will be returned or echoed back. Primarily used as a diagnostic tool. ECHO runs underneath JINETD and should not be running on most systems.

DISCARD (9) – As the name implies discard discards all input from a socket. Discard is run from JINETD and should not be running on most systems.

DAYTIME (13) – This services returns the current time in a human readable format. Daytime is run from jinetd and should not be running on most systems.

CHARGEN (19) – Is a means of generating characters and sending them to a socket. Chargen is run from jinetd and should not be running on most systems.

TIME (37) – Returns the current time in a machine readable format. Time is run from jinetd and may or may not be running depending upon your use of the service.

FTP (21) – File Transfer Protocol is run from jinetd on MPE/IX 6.0 and higher. On 5.5 systems and older FTP runs as a separate batch job. FTP may or may not be running depending upon your use of the service. On most systems it will be running. The FTP service is not required for outbound FTP access to other systems via MPE’s FTP client FTP.ARPA.SYS. It is only used for inbound FTP connections.

TELNET (23) – Allows incoming Telnet connections to the system. Telnet may or may not be running depending upon your use of the service. It is an alternative to NS/VT terminal connections. Similar to the FTP service, the TELNET service is not required to run the TELNET.ARPA.SYS client to connect to other systems.

BOOTPS (67) – Similar to DHCP, this services can be used to dynamically provide boot information such as TCP/IP address and default gateway to LAN devices such as JetDirect print servers. Device download their configuration based upon a cross reference file. Bootp may or may not be running depending upon your use of the service. On most systems it should not be running.

TFTP (69) – Trivial File Transfer Protocol – run from jinetd. A subset of FTP. This should not be running on most systems.

DNS (53) – Domain Name Services. On the HP3000 this service is provided by Berkely Internet Name Daemon (BIND.) It may or may not be running depending upon your use of the service, but most sites will use some other server to provide DNS services and not run BIND directly on the HP3000.

APACHE (80 or 443) – HTTP Web SERVER. Runs as a standalone job. Should only be running on systems that are intended to serve data to web browsers.

HTTP (80) – Standard HTTP service

HTTPS (443) – Secure (encrypted) HTTP service (requires WEBWISE product)

SWAT (901) – SAMBA configuration service. Swat can run as part of jinetd. It may or may not be running, depending upon your use of SAMBA, and not all versions of SAMBA support the use of swat.

SAMBA (137 or 139) – File Sharing utility. Allow PC’s to map to disc space on the HP3000. The HP3000 appears as a Windows NT server. SAMBA can run as either batch jobs or out of jinetd.

nmbp (137) – Enables the system to answer to requests to appear in “network neighborhood”

smbp (139) – Provides that actual file sharing capabilities.

SAMBA may or may not be running depending upon your use of the service.

SNMP (161 and 162) – Simple Network Management Protocol. Used by network monitoring tools such as Openview to glean configuration information from system. SNMP is always running by default but may be turned off or restricted. If you want the service turned off, you must turn it off after each network/system restart. The UDC file SNMPUDC.NET.SYS must be cataloged to enable the SNMPCONTROL STOP command. To restrict the use of SNMP, assign or change the agent-community-name: parameter in SNMPCONF.NET.SYS.

STM – System diagnostics – On MPE/IX 6.5 systems and higher this will normally be running.

SYSLOG (514) – Event Message logging service used by most UNIX based systems and needed for many of the services ported to MPE from the UNIX world. Think of SYSLOG as similar to system console logging. SYSLOG is required for some of the other network services such as BIND/DNS. It is also required for the ARMSRVR disk array monitoring software for SureStore Model 12h disk arrays.

VTA (1570) – The standard HP3000 virtual terminal service. Used by Reflection or Minisoft users connecting with VT-MGR protocol. VTA is started by the NSCONTROL START command. In addition to VTA, NS3000 starts a handful of other processes using port numbers such as 7490, 7489, 5760, 5710, 5696, 2564, 2560, 1542, 1540, 1538, 1537, 1536, and 1260.Many of these are for HP3000 to HP3000 communication to support things like remote database access, dsline/dscopy. Each of these will appear in SOCKINFO owned by program DSDAD.NET.SYS.

ODBC () – Open Database Connectivity. There are several vendors who provide ODBC on the HP3000. Each uses their own unique port number. Depending upon whether you are providing ODBC services determines whether or one of these will be running.

Any service that runs as part of JINETD can be stopped by editing INETDCNF.NET.SYS file. Place a “#” in column one for any given service to disable it. To activate your changes without stopping and restarting JINETD, enter

:INETD.NET -c << must be a lower case C>>

Additionally you can restrict the use of INETD services to specific IP addresses by placing entries in INETDSEC.NET.SYS.

Other services have their own configuration files that determine whether or not they run and any additional security constraints. Refer to the product documentation or call us for assistance.

From a security standpoint only those services that are required for production should be enabled. All other services should be disabled. Review the SOCKINFO output to identify all listeners and shut down any that are not essential. For those services deemed necessary, familiarize yourself with the security risks and how they may affect your system. The fewer services running, the fewer possible security holes there are to be exploited.