Check or Attack Name: irixfam

The IRIX File Alteration Monitor (fam) daemon is used by networked IRIX machines to track file modifications. The fam service, which runs as RPC program 391002, is used by other programs to keep track of file modifications.

When a program initially connects to the fam server, it passes the name of a file or directory to watch. If the fam server receives a directory name, it returns the client a complete list of files and subdirectories in that directory. By passing the fam server a request to list the root directory, and by systematically following the subdirectories, an attacker can remotely obtain a complete list of files on the system.

Determine if the fam daemon is running, and if so, disable the daemon.

To determine whether your workstation is running this service, type:

% /usr/etc/rpcinfo -p | grep 391002

If you are vulnerable, you will see the following line:

391002 1 tcp 1051 sgi_fam

If no output occurs, then you are not running a fam server. Any other type of output, such as an error message, probably indicates that you are either specifying the wrong directory for the rpcinfo program, or that there are no rpc services running on this system.

—AND—

If you do not use any programs that require fam, such as the IRIX file manager, fm(1G), or mailbox(1), then disable the fam service by commenting out the entry for it in /etc/inetd.conf and rebooting. Silicon Graphics has been notified of this problem and recommends that sites concerned about security disable the fam service.

Secure Networks Inc. Security Advisory, July 14, 1997, Silicon Graphics IRIX fam service, http://web1.nai.com/products/security/advisory/16_fam_adv.asp