Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Guess this is a hack attemp

From: "Chip McClure" <vhm3 () hades dnsalias net>
Date: Sun, 22 Jul 2001 14:09:26 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Unfortunately, you're right. There's been a long standing hole in
rpc.statd for quite some time, mainly on RedHat (and possibly other
distros). I've gotten burned on this one on some of my co-workers
home machines, mainly last fall. Pretty much the same buffer overflow
to the service.

My suggestions, if you're running tripwire, the report will give you
a listing of binaries that have changes (bogus copies of ssh, telnet,
su, etc). If not, Your safest bet is to wipe the machine &
re-install. Getting MD5 sums from a majority of the binaries in /bin,
/usr/bin, /usr/sbin, etc can be really time consuming.

If you don't really need portmap, I'd consider turning it off, or
firewalling the machines that have TCP & UDP port 111 left open.

- -----Original Message-----
From: Gareth Hastings [mailto:ghastings () sc rr com]
Sent: Sunday, July 22, 2001 12:46 AM
To: incidents () securityfocus com
Subject: Guess this is a hack attemp


Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for
^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8
x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22
0\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\
220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\
220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\22
0\220\220

How do I know if the attempt succeded or not ? This entry is repeated
about 50 times. I checked the obvious things like hosts.allow/deny
being changed. I checked for suid root files and entries in the
inetd.conf file. Is there anything else I should look for ?

Thanks

Gareth


*** END PGP VERIFIED MESSAGE ***


- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBO1tAXYM3DF0xmLAPEQILRwCfQzXSHJ+0H37Uv9WDiH6OcpfJYG0AoKPS
yolR2/I464d6dlWdmeF3WJwB
=70dC
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: