[EMAIL PROTECTED] writes: > I got the following (alarming) messages on syslog: > > Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together > Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for > ^X\xf7\xff\xbf^X\xf7[snip] > Jan 8 13:34:23 yuban > \xc7^F/bin\xc7F^D/shA0\xc0\210F^G\211v^L\215V^P\215N^L[snip] > > it looks like an attack (specially when I see /bin/sh hidden in there). I > searched the lists and it seems that this problem should have been > corrected before potato was released. Any reason for worries, or is there > any reason why I should think it was an unsuccessful attack?
I don't know that there wasn't a more recent vulnerability in rpc.statd after potato, but I carry no authority in suggesting one way or another. The above *does* look suspiciously like you've been cracked, though. You should know the drill: take offline, copy disk off to backup/forensic storage, blank and reinstall. Look through the forensic copy for changes to inetd, inittab and login. ~Tim -- The light of the world keeps shining, |[EMAIL PROTECTED] Bright in the primal glow |http://piglet.is.dreaming.org
