Security Incidents mailing list archives
Solaris statd exploit?
From: Klaus Moeller <moeller () CERT DFN DE>
Date: Thu, 31 Aug 2000 12:28:48 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hartoyo writes:
I got this entry today on 3 different solaris boxes... Is this some kind of statd exploit?
Yes. It's the exploit for the new linux rpc.statd vulnerability directed against a solaris box. Since Solaris is not vulnerable (as you can see by the %x being displayed rather than evaluated), your box is not in danger. And the older statd vulnerabilities ? AFAIK, solaris 8 is not vulnerable, unpatched solaris 2.6 is vulnerable to the statd/automountd bug described in CERT advisory => http://www.cert.org/advisories/CA-99-05-statd-automountd.html
The OS is Solaris 8 (and Solaris 2.6)...
A script kiddie attack?
Definetly. As skilled attacker would have noticed the difference between solaris and linux.
Aug 30 11:15:14 earth statd[236]: [ID 462824 auth.error] statd: attempt to create "/var/statmon/sm/%08x %08x %08x %08x %08x %08x %08x %08x %08x
At the same time, my FreeBSD box gave me this entry... Is it related? (based on the time)...
Aug 30 11:15:14 bsdbox portmap[32421]: connect from 216.227.9.49 to getport(status): request from unauthorized host
Likely. Most automated scans try to identify the port for rpc based services via the portmapper. Klaus Moeller, DFN-CERT - -- Klaus Moeller | mailto:moeller () cert dfn de DFN-CERT GmbH | http://www.cert.dfn.de/team/moeller/ Vogt-Koelln-Str. 30 | Phone: +49(40)42883-2262 D-22527 Hamburg | FAX: +49(40)42883-2241 Germany | PGP-Key: finger moeller () ftp cert dfn de -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface iQEVAwUBOa4zXIrEggYLt8j5AQFamgf/TVzD0rm904VYmTExi1EJo0olwFtCUvxL NzMywg36XjluTM+JLk1qYXdIvPCooACbCNOOIkIdfecEXhkky+qeyd6r42Iuer7q 0gbYemMxz9YUVBBFhQVHp6Nkj3oZIUHtBZmSAOkhnOcWBMTqojPSaeyiz8o4QIpg LbQJ6ANL7mdWzvZA1OoVwC9wyV+IyImFQruWFCNvTv7FQYq/i7Looe2fCpI+RM+n VQQ2QzVSq9K0Fz+huOQMuXV+B//r/CDWGx7mrCgKosRmOTXsWFzHPiPIidAb4mMI 9LpSodiY+M3fy4lZCZRMSo3KnCTxvtTe1lPzpK3KBThsIdlxeOmXTA== =9+M6 -----END PGP SIGNATURE-----
Current thread:
- Solaris statd exploit? Hartoyo (Aug 31)
- Re: Solaris statd exploit? Fyodor (Aug 31)
- Solaris statd exploit? Klaus Moeller (Aug 31)
- <Possible follow-ups>
- Re: Solaris statd exploit? Thomas Dullien (Aug 31)