Firewall Wizards mailing list archives

Re: rpc.statd message log

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 24 Apr 2003 22:00:58 +0530

On 24/04/03 12:05 -0400, Robert E. Martin wrote:
<snip>

I believe that the machine has been compromised, but do not find any 
trace using cert.org recommended Intruder Detection Checklist. I have

IIRC, you use Linux. 
What distro ( RH 6.2? ). Patch level?
Run chrootkit, and validate checksums for binaries from a clean booted
system (not booted from the possibly compromised disk) using an
alternate md5sum and kernel binary.

stopped the rpc.statd service, since we don't use this at ALL!

That should have been stopped as part of OS hardening itself.

Devdas Bhagat

http://www.kb.cert.org/vuls/id/34043
Any thoughts? Anyone?

-- 
Robert E Martin
IT Manager
Fishburne Military School
rmartin () fishburne org
540.946.7726


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

rpc.statd message log Robert E. Martin (Apr 24)
- Re: rpc.statd message log Devdas Bhagat (Apr 24)
- Re: rpc.statd message log R. DuFresne (Apr 24)
- <Possible follow-ups>
- RE: rpc.statd message log Melson, Paul (Apr 24)
- Re: rpc.statd message log Robert E. Martin (Apr 25)
- RE: rpc.statd message log Melson, Paul (Apr 25)