Vulnerability Development mailing list archives

Red Hat 7.1 rpc.statd problem

From: Blue Boar <BlueBoar () thievco com>
Date: Wed, 05 Dec 2001 10:31:46 -0800

I have a question. It may sound a bit more appropriate for Incidents,
but keep reading.

So, I'm running a Red Hat 7.1 box. I intentionally have many services
running, but I applied all the patches from Red Hat during install, and
I apply any new patches within a few hours of them coming out. I have
this a few times in my messages file:

rpc.statd[496]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220

This is fairly common from what I can see. Lots of people report this,
and it appears that this is what you get after the patches have been
applied, and the attack fails. This is the result of a standard exploit,
and I believe also a worm based on that same exploit. There doesn't
appear to be any evidence of a successful intrusion on my box.

So my question is: If this is a patched version, why the heck is it
trying to look up that name? I'm pretty sure that there
isn't someone out there who has that as a reverse name for PTR
records.

Can anyone help clear up my confusion? Is this just a really bad
patch, or is there still room for exploit, or is this the way
it's supposed to work?

Current thread:

Red Hat 7.1 rpc.statd problem Blue Boar (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Chris Ess (Dec 05)
  - Re: Red Hat 7.1 rpc.statd problem Przemyslaw Frasunek (Dec 05)
  - Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Message not available
  - Message not available
    - Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
    - Re: Red Hat 7.1 rpc.statd problem Blue Boar (Dec 05)
    - Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
    - Re: Red Hat 7.1 rpc.statd problem Valdis . Kletnieks (Dec 06)