-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately, you're right. There's been a long standing hole in rpc.statd for quite some time, mainly on RedHat (and possibly other distros). I've gotten burned on this one on some of my co-workers home machines, mainly last fall. Pretty much the same buffer overflow to the service. My suggestions, if you're running tripwire, the report will give you a listing of binaries that have changes (bogus copies of ssh, telnet, su, etc). If not, Your safest bet is to wipe the machine & re-install. Getting MD5 sums from a majority of the binaries in /bin, /usr/bin, /usr/sbin, etc can be really time consuming. If you don't really need portmap, I'd consider turning it off, or firewalling the machines that have TCP & UDP port 111 left open. - -----Original Message----- From: Gareth Hastings [mailto:ghastingsat_private] Sent: Sunday, July 22, 2001 12:46 AM To: incidentsat_private Subject: Guess this is a hack attemp Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for ^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8 x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22 0\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\22 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ 220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\ 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 0\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\22 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ 220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\ 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 0\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\22 0\220\220 How do I know if the attempt succeded or not ? This entry is repeated about 50 times. I checked the obvious things like hosts.allow/deny being changed. I checked for suid root files and entries in the inetd.conf file. Is there anything else I should look for ? Thanks Gareth *** END PGP VERIFIED MESSAGE *** - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 iQA/AwUBO1tAXYM3DF0xmLAPEQILRwCfQzXSHJ+0H37Uv9WDiH6OcpfJYG0AoKPS yolR2/I464d6dlWdmeF3WJwB =70dC -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 17:37:35 PDT