Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: rpc.statd message log

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Thu, 24 Apr 2003 13:01:29 -0400
That all depends.  Is the box in question Linux or Solaris on x86?  Is the version of statd on it known to be 
vulnerable?  All you've captured is an attempt to exploit a known buffer overflow in rpc.statd.  This could be a 
targeted attack, but it also could be one of a handful of worms that exploit this vulnerability (Lion[1] and Adore[2] 
are two that I am aware of).

PaulM

1. http://www.sans.org/y2k/lion_protection.htm
2. http://www.ciac.org/ciac/bulletins/l-067.shtml




 -----Original Message-----
I believe that the machine has been compromised, but do not find any
trace using cert.org recommended Intruder Detection Checklist. I have
stopped the rpc.statd service, since we don't use this at ALL!
http://www.kb.cert.org/vuls/id/34043
Any thoughts? Anyone?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: