Re: A statd exploit?

[Ejovi Nuwere <ejovi () EJOVI NET>]

You can check /var/spool/calendar to see if the statd exploit succeeded or
not. Do a grep for bin or just view the files in that directory, if you so
anything that looks like the message from /var/adm/messages the attack
succeeded.

Sounds like your friend was hacked awhile ago and the attacker has been
playing around on his machine and for some reason decided to reboot it,
maybe by mistake, maybe to install a trojan.

I suggest your friend rebuilds the machine in question and contact the
attacking service provider.


On Tue, 15 Aug 2000, Randy Nethers wrote:

> Yesterday, a friend of mine from a local university asked me to take a look at
> a machine (an Ultra 2 w/Solaris 2.6) which had rebooted itself yesterday morning
> (Aug 14th) for no apparent reason.
>
> After poking around, I could find nothing of interest, except two things.
> First I found in /var/adm/messages.0 the following line:
>
> Aug 12 00:58:07 ultra2 statd[178]: statd: attempt to create "/var/statmon/sm/%0
> 8x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055
> x%n%012x%n%0192x%nK^v ^( ^ ^.  #^1 F'F* FF+, NV1@/bin/sh -c echo "9088 stream tc
> p nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd /tmp/m;"
>
> Also, this single entry in the messages file is the only message in any of the
> log files from Aug 12, which I find strange.  (There are lots of messages in
> /var/log/syslog from the Saturday before, but none for Aug 12, for instance
> regarding emails going to and from the machine.)
>
> The reboot occured at about 9:30 am, just before people at the office where the
> machine is located started using it.  The machine has Oracle on it.  I was
> wondering if this might have anything to with the rpc.statd exploit discussed
> earlier on this list where a user found a file called /tmp/bob.  I looked, but
> obviously, with the machine having been rebooted, there would be nothing in
> /tmp.
>
> Anybody have any ideas?
>
> Thanks,
>
> Randy Nethers