RE: Guess this is a hack attemp

From: Chip McClure (vhm3at_private)
Date: Sun Jul 22 2001 - 14:09:26 PDT

  • Next message: Lindsay: "RE: HTTP connections"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Unfortunately, you're right. There's been a long standing hole in
    rpc.statd for quite some time, mainly on RedHat (and possibly other
    distros). I've gotten burned on this one on some of my co-workers
    home machines, mainly last fall. Pretty much the same buffer overflow
    to the service.
    
    My suggestions, if you're running tripwire, the report will give you
    a listing of binaries that have changes (bogus copies of ssh, telnet,
    su, etc). If not, Your safest bet is to wipe the machine &
    re-install. Getting MD5 sums from a majority of the binaries in /bin,
    /usr/bin, /usr/sbin, etc can be really time consuming.
    
    If you don't really need portmap, I'd consider turning it off, or
    firewalling the machines that have TCP & UDP port 111 left open.
    
    - -----Original Message-----
    From: Gareth Hastings [mailto:ghastingsat_private]
    Sent: Sunday, July 22, 2001 12:46 AM
    To: incidentsat_private
    Subject: Guess this is a hack attemp
    
    
    Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for
    ^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8
    x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22
    0\220\220\220\220\220\2
    20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
    \220\220\220\220\220\22
    0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
    220\220\220\220\220\220
    \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
    20\220\220\220\220\220\
    220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
    0\220\220\220\220\220\2
    20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
    \220\220\220\220\220\22
    0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
    220\220\220\220\220\220
    \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
    20\220\220\220\220\220\
    220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
    0\220\220\220\220\220\2
    20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
    \220\220\220\220\220\22
    0\220\220
    
    How do I know if the attempt succeded or not ? This entry is repeated
    about 50 times. I checked the obvious things like hosts.allow/deny
    being changed. I checked for suid root files and entries in the
    inetd.conf file. Is there anything else I should look for ?
    
    Thanks
    
    Gareth
    
    
    *** END PGP VERIFIED MESSAGE ***
    
    
    - ----------------------------------------------------------------------
    - ------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.8
    
    iQA/AwUBO1tAXYM3DF0xmLAPEQILRwCfQzXSHJ+0H37Uv9WDiH6OcpfJYG0AoKPS
    yolR2/I464d6dlWdmeF3WJwB
    =70dC
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 17:37:35 PDT