Firewall Wizards mailing list archives
Re: rpc.statd message log
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 24 Apr 2003 12:52:21 -0400 (EDT)
RPC services have a drmatically bad history in the security realm, and accross platforms and vendors. Spoits are all over the place for various OS's. Patches can help some, but, for exposed systems the services should be closed off and/or protected from external exposure by proper setup and filtering. Discovering when/how/by whom/what's affected|changed in the case of a compromise or suspected compromise can be a tough task. Tools that can aid in discovering what might have been trojaned or rootkitted, include, but are not limited to: tripwire/md5 binary checksums of the criticall OS files and dirs. If your exposed machines are not scanned at least daily by a file integrity checker like those mentioned, then one would be better off to have a fault tolerant backup/recovery system for those exposed servers. Or if one can get by with a read only <bootable CD> OS to help mitigate the potential and affects of compromise. Log analysis, passwd/group files analysis, and a detailed audit of the base OS might help define if this statd service was indeed remotely overflowed and resulted in a compromise, or if it had been patched or hit by a sploit that it only logged evidence of attempt. Of course, the truely paranoid only bother with such forensics if they intend to prosecute and just wipe and reinstall from backups or reboot the non-writeable OS to clean up. Thanks, Ron DuFresne On Thu, 24 Apr 2003, Robert E. Martin wrote:
I found this in my /var/log/messages log ........ Apr 21 11:07:01 fms rpc.statd[1010]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51 859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 I believe that the machine has been compromised, but do not find any trace using cert.org recommended Intruder Detection Checklist. I have stopped the rpc.statd service, since we don't use this at ALL! http://www.kb.cert.org/vuls/id/34043 Any thoughts? Anyone?
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- rpc.statd message log Robert E. Martin (Apr 24)
- Re: rpc.statd message log Devdas Bhagat (Apr 24)
- Re: rpc.statd message log R. DuFresne (Apr 24)
- <Possible follow-ups>
- RE: rpc.statd message log Melson, Paul (Apr 24)
- Re: rpc.statd message log Robert E. Martin (Apr 25)
- RE: rpc.statd message log Melson, Paul (Apr 25)