Security Incidents mailing list archives
Re: two machines hack through rpc.statd
From: Timothy Lyons <Timothy.Lyons () PREDICTIVE COM>
Date: Wed, 7 Mar 2001 15:21:01 -0500
Vegard Svanberg <vegard () SVANBERG NO> Sent by: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM> 03/07/2001 08:47 Please respond to Vegard Svanberg To: INCIDENTS () SECURITYFOCUS COM cc: Subject: two machines hack through rpc.statd <SNIP> Here's the hostnames/IP addresses he came from: Vogz[9590]: LOGIN ON pts/2 BY Vogz FROM cx589008-a.vista1.sdca.home.com xinetd[8755]: START: reg pid=9614 from=63.198.203.190 In addition, I am wondering how I should handle this further, and IF I should.. I am currently located in Europe while he is probably in the US or something, hacking from a rooted *DSL-machine.. Any tips and recommendations is appreciated. </SNIP> You are probably right that the machine in your logs is a compromised host, but sending the details of the incident to abuse () home com would not hurt. @Home is fairly good about responding to incidents such as this and at the very least the subscriber box that is being used to initiate the attacks could be brought offline until such time as it has been repaired. Make sure you reference the exact times and the timezone your logs are maintained in when submitting your report. A scan of the hostname you referenced produced the following output: Port State Service 21/tcp open ftp 25/tcp open smtp 110/tcp open pop-3 119/tcp open nntp 137/tcp filtered unknown 138/tcp filtered unknown 139/tcp filtered unknown 1080/tcp open socks Port State Service 137/udp open unknown 138/udp open unknown 139/udp open unknown Remote operating system guess: Windows NT4 This could be erroneous depending on the DHCP lease times @home uses for their clients. from the hostname, one can only assume we are dealing with a cable/dsl subscriber in the SanDiego, CA area (sdca.home.com). As for tips, Just the usual "don't run rpc.statd unless necessary and ensure you have the appropriate firewalling and ACL's in place to enhance the security of your system" would apply. --Tim
Current thread:
- two machines hack through rpc.statd Vegard Svanberg (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- <Possible follow-ups>
- Re: two machines hack through rpc.statd Timothy Lyons (Mar 07)
- Re: two machines hack through rpc.statd Justin Shore (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)