Re: rpc.statd message log

["Robert E. Martin" <rmartin () fishburne org>]

PMelson () analysts com wrote:

> That all depends.  Is the box in question Linux or Solaris on x86?  Is the
> version of statd on it known to be vulnerable?  All you've captured is an
> attempt to exploit a known buffer overflow in rpc.statd.  This could be a
> targeted attack, but it also could be one of a handful of worms that exploit
> this vulnerability (Lion[1] and Adore[2] are two that I am aware of).
>
> PaulM
>
> 1. http://www.sans.org/y2k/lion_protection.htm
> 2. http://www.ciac.org/ciac/bulletins/l-067.shtml
>
>
>
>  
>
> > -----Original Message-----
> > I believe that the machine has been compromised, but do not find any
> > trace using cert.org recommended Intruder Detection Checklist. I have
> > stopped the rpc.statd service, since we don't use this at ALL!
> > http://www.kb.cert.org/vuls/id/34043
> > Any thoughts? Anyone?
> >    
>
>
>
>  
This is a Linux Red Hat 7.2 with all the latest patches working as a 
port forw box for our schools web server. This really is a low usage 
machine, compared to you big boys, and I have scanned it with a demo 
version of Retina. The results were great, as far as I can tell, in 
terms of open and shut ports. After I closed off the portmap service, 
the only port open now is 22 for ssl. Since yesterday, I have not seen 
this message in the logs. Amazing what a little maintenance will do.

--
Robert E Martin
IT Manager
Fishburne Military School
rmartin () fishburne org
540.946.7726


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards