Firewall Wizards mailing list archives
Re: rpc.statd message log
From: "Robert E. Martin" <rmartin () fishburne org>
Date: Thu, 24 Apr 2003 13:32:53 -0400
PMelson () analysts com wrote:
This is a Linux Red Hat 7.2 with all the latest patches working as a port forw box for our schools web server. This really is a low usage machine, compared to you big boys, and I have scanned it with a demo version of Retina. The results were great, as far as I can tell, in terms of open and shut ports. After I closed off the portmap service, the only port open now is 22 for ssl. Since yesterday, I have not seen this message in the logs. Amazing what a little maintenance will do.That all depends. Is the box in question Linux or Solaris on x86? Is the version of statd on it known to be vulnerable? All you've captured is an attempt to exploit a known buffer overflow in rpc.statd. This could be a targeted attack, but it also could be one of a handful of worms that exploit this vulnerability (Lion[1] and Adore[2] are two that I am aware of). PaulM 1. http://www.sans.org/y2k/lion_protection.htm 2. http://www.ciac.org/ciac/bulletins/l-067.shtml-----Original Message----- I believe that the machine has been compromised, but do not find any trace using cert.org recommended Intruder Detection Checklist. I have stopped the rpc.statd service, since we don't use this at ALL! http://www.kb.cert.org/vuls/id/34043 Any thoughts? Anyone?
-- Robert E Martin IT Manager Fishburne Military School rmartin () fishburne org 540.946.7726 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- rpc.statd message log Robert E. Martin (Apr 24)
- Re: rpc.statd message log Devdas Bhagat (Apr 24)
- Re: rpc.statd message log R. DuFresne (Apr 24)
- <Possible follow-ups>
- RE: rpc.statd message log Melson, Paul (Apr 24)
- Re: rpc.statd message log Robert E. Martin (Apr 25)
- RE: rpc.statd message log Melson, Paul (Apr 25)