>From: Systems Administrator <[EMAIL PROTECTED]>
>hi all. be kind. im a newbie. i've checked the site listed below as i'm
>searching 'bout tcp port 600 but unfortunately nothing is listed bout
>this. i found the below on my error logs and i'm still trying to figure
>out what's it supposed to do:
>
>Feb 3 09:45:59 ns statd[123]: attempt to create "/var/statmon/sm/; echo
>"pcserver stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ;
>/usr/sbin/inetd -s /tmp/bob &"
>
>the "bob" file is this:
>
>pcserver stream tcp nowait root /bin/sh sh -i
>
>this particular user 'came in' on port 600. i read somewhere that this
>port should be blocked...err.. how am i supposed to do that?
You've been hacked. The fact that you have a "bob" file means that someone
has successfully exploited the statd vulnerability which exists on a number
of unpatched Unix systems. They created a buffer overrun which writes a file
"/tmp/bob" which contains a single line to instruct the inetd command to
spawn a root shell listening on the pcserver port 600. I would disconnect
your machine right away and find out to what extent you were compromised.
First kill the additional inetd process, and then look for any additional
backdoors the attacker may have left including suid shells in the
filesystem, new entries in /etc/passwd, etc. To be safe, I would restore the
system from a previous backup from before the attack. To be paranoid, I
would reinstall the OS... (but that might not be practical). Keep in mind
the attacker has probably copied the /etc/passwd file and has/is running
some crack program on it offline, so tell all your users to change their
passwords.
Your attack is a variation of a similar attack seen last year which attached
a root shell to the ingreslock port 1524.
The statd vulnerability is documented in the CERT advisory CA-97.26.statd
(http://www.cert.org/advisories/CA-97.26.statd.html). In this document, find
your system listed in the Vendor Information Appendix and patch your OS to
the required level. If you are not running NFS, I would recommend you even
disable the whole NFS subsystem (including statd) at startup.
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
