Re: Red Hat 7.1 rpc.statd problem

From: Fyodor (fygraveat_private)
Date: Wed Dec 05 2001 - 11:57:30 PST

Next message: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"

Previous message: Chris Ess: "Re: Red Hat 7.1 rpc.statd problem"
Next in thread: Blue Boar: "Re: Red Hat 7.1 rpc.statd problem"
Next in thread: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"
Reply: Blue Boar: "Re: Red Hat 7.1 rpc.statd problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Dec 05, 2001 at 11:30:57AM -0800, Blue Boar wrote:
> Would you post that to the list too, please?

sure ;-)


I wrote:
> 
> because originally the bug was simple
> 
> if (cant_lookup_hostname(userdata)) {
>     syslog(userdata);
> }
> .. now they fixed it to be:
>     syslog("lookup screwed for: %s\n", userdata);
> ...
> 
> so you still seeing the hostname anyway, just since it isn't interpreted
> as formatted string. the bug is gone. (of course I am not precise with
> the code, it could be different, but the idea is here).
> 
> On Wed, Dec 05, 2001 at 10:31:46AM -0800, Blue Boar wrote:
> > I have a question.  It may sound a bit more appropriate for Incidents,
> > but keep reading.
> >
> > So, I'm running a Red Hat 7.1 box.  I intentionally have many services
> > running, but I applied all the patches from Red Hat during install, and
> > I apply any new patches within a few hours of them coming out.  I have
> > this a few times in my messages file:
> >
> > rpc.statd[496]: gethostbyname error for
> > ^XВЪ©^XВЪ©^ZВЪ©^ZВЪ©%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> >
> > This is fairly common from what I can see.  Lots of people report this,
> > and it appears that this is what you get after the patches have been
> > applied, and the attack fails.  This is the result of a standard exploit,
> > and I believe also a worm based on that same exploit.  There doesn't
> > appear to be any evidence of a successful intrusion on my box.
> >
> > So my question is: If this is a patched version, why the heck is it
> > trying to look up that name?  I'm pretty sure that there
> > isn't someone out there who has that as a reverse name for PTR
> > records.
> >
> > Can anyone help clear up my confusion?  Is this just a really bad
> > patch, or is there still room for exploit, or is this the way
> > it's supposed to work?
> >
> >                                       BB
> 

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

Next message: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"
Previous message: Chris Ess: "Re: Red Hat 7.1 rpc.statd problem"
Next in thread: Blue Boar: "Re: Red Hat 7.1 rpc.statd problem"
Next in thread: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"
Reply: Blue Boar: "Re: Red Hat 7.1 rpc.statd problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 12:38:40 PST