SUMMARY: Security Problem?

From: Jian Ye (ye@software.org)
Date: Thu Apr 06 1995 - 00:40:30 CDT


Thanks for the quick responses. My original question was:

> When I get in my office this morning, I saw a message on the console,
>
> NIS: server not responding for domain "Wd"; still trying.
>
> I am afraid there were some illegal access to the system, since there
> has never been a message like that before. All systems appear to
> function normally.
>

I am sorry for not being clear about the domain name. NO! domain "Wd" is
not our domain, nor does "^d". The later one is what was actually shown
on my console, but when I copy and paste via xwindows clipboard, '^' became
'W'.

I do not think this is related to NIS server problem, because if that's
the case, we should see machine hanging, the same message scrolling
repeatly and the domainname is not "^d". It only registered once on
the console, then there was no trace of any problem. Well, I will stay
alert from now on and find out more about UNIX security.

Thanks to everyone who respond.

Here is the detailed responses:

Possible, but ypcat -d Wd would work just as well.

Casper

================================================================
Check to see if your NIS server is up and accessible on the net.

michael pearlman

================================================================
This may be in the FAQ....

On your machine there a process called "ypbind" which is bound to one of
your NIS servers. If there's a problem with the net or something which
causes the timeout-interval of ypbind to exceed, this message will be
displayed. In other words: if the connection between ypbind and the "ypserv"
process on the NIS server is (temporarily) down, you will get informed in this w
ay.
If this was really the first time you saw that message then you're a lucky
person (or you haven't been working too much with this kind of computers ;-)

One single warning doesn't matter. If this messages won't stop, check out
your network connections and/or ypbind/ypserv...

Juergen

================================================================
It looks like someone tried to bind to your domain, probably to use
ypcat to get your password file.

You haven't said what your OS is. For 4.1.1 through 4.1.3 apply the ypserv and
ypxfrd security patch (currently 100482-06). It allows for restricted access
via the file /var/yp/securenets.

You can get this patch (or find out which one you need for another version of
the OS) by anonymous ftp to sunsolve1.sun.com, directory pub/patches. It may
be a little easier to sort things out if you use mosaic or netscape to open
the URL ftp://sunsolve1.sun.com/pub/patches/patches.html#1.1-patches.

Roberto

================================================================
We have the same problem here. The only solution to this
is to crash the machine and reboot.

It happens about once a month, but is not related to a
specific hosts. And sometimes it happens to a bunch
of hosts or many times in a row to one hosts.
Not very easy to debug.

Real Page

================================================================
Assuming Wd is in fact your NIS domain name, that message indicates
that, for some modest period of time, the NIS server (or the network
connection between this machine and the NIS server) was down. The
message may have also been logged somewhere like /var/adm/messages,
with a timestamp.

If the server did in fact reboot around that time, that would explain
the message; if not it may have had to do with some kind of transient
network problem. I think it is unlikely to indicate a security problem.

Perry Hutchison

================================================================
Do you have a domain Wd?? If you do a ps you should be able to find
a ypbind running someplace.

If you do have that domainname around, I suspect you just had a slow
server for a while.

Might just be a high load on your NIS server or network.

                l & h,
                kev

================================================================
your NIS server server went down, appearred to go down, or was extremely
busy.

boyd

================================================================

        I am not sure what help I could be. Perhaps you have sent out the
summary already. I have been on vacation, and saw this one first.
        I have occasionally seen this problem intermitently, until
I attempted a test NIS+ environment on my machine in a subnet. Now
the dns master, and my machine scroll this message constantly. In my
case, I will re-install the OS on my machine. It appears to be an
improperly setup dns/nis setup.

        I eagerly await your summary.

Pamela Pledger



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:21 CDT