This looks more like a remote format string vulnerability than the work
of a rootkit. rpc.statd has several format string vulnerabilities. The
give-away is the long HEX string preceeded by unreadable characters. The
unreadable characters are the formatted string that statd accepts as
input, and the HEX value is the string option, in this case, a value
that exceeds the size of the allocated buffer. There is probably an
executable command buries in the hex that would be executed after the
end of the stack. Check your system logs, command logs, and login logs.
FYI,
Kenny
You may want to check http://www.securityfocus.com under
vulnerabilities. Do a keyword search on "statd".
Jeff Dike wrote:
>
> [EMAIL PROTECTED] said:
> > Dec 31 15:12:39 localhost rpc.statd[302]: gethostbyname error for
> > ^X���^X���^Y���^Y���^Z���^Z���^[���^[���bffff760 8049710
> > 8052c28687465676274736f6d616e797265206520726f7220726f66
> >
> > just appeared in my syslog. Other than pointing out that my machine
> > thinks its name is localhost, does anyone know what this might mean ?
>
> You were r00ted. Maybe.
>
> You should take a close look at your system to see if you can find a rootkit
> or trojaned binaries (like /bin/login).
>
> Jeff
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
