Re: rpc.statd message log

["R. DuFresne" <dufresne () sysinfo com>]

RPC services have a drmatically bad history in the security realm, and
accross platforms and vendors.  Spoits are all over the place for various
OS's.  Patches can help some, but, for exposed systems the services should
be closed off and/or protected from external exposure by proper setup and
filtering.  Discovering when/how/by whom/what's affected|changed in the
case of a compromise or suspected compromise can be a tough task.  Tools
that can aid in discovering what might have been trojaned or rootkitted,
include, but are not limited to:  tripwire/md5 binary checksums of the
criticall OS files and dirs.  If your exposed machines are not scanned at
least daily by a file integrity checker like those mentioned, then one
would be better off to have a fault tolerant backup/recovery system for
those exposed servers.  Or if one can get by with a read only <bootable
CD> OS to help mitigate the potential and affects of compromise.

Log analysis, passwd/group files analysis, and a detailed audit of the
base OS might help define if this statd service was indeed remotely
overflowed and resulted in a compromise, or if it had been patched or hit
by a sploit that it only logged evidence of attempt.  Of course, the
truely paranoid only bother with such forensics if they intend to
prosecute and just wipe and reinstall from backups or reboot the
non-writeable OS to clean up.

Thanks,

Ron DuFresne



On Thu, 24 Apr 2003, Robert E. Martin wrote:

> I found this in my /var/log/messages log ........
>
> Apr 21 11:07:01 fms rpc.statd[1010]: gethostbyname error for 
> ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51
> 859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
> 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> I believe that the machine has been compromised, but do not find any 
> trace using cert.org recommended Intruder Detection Checklist. I have 
> stopped the rpc.statd service, since we don't use this at ALL!
> http://www.kb.cert.org/vuls/id/34043
> Any thoughts? Anyone?

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards