Security Incidents mailing list archives

Re: rpc.statd exploit?

From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Sat, 19 Aug 2000 13:48:30 -0700

On Fri, 18 Aug 2000, azimuth wrote:

If you do file integrity checks with Tripwire or similar software, go
over your suspect system looking for changes.


Even if you do, they may add things that tripwire isn't checking for.  A
better way is to use the grave-robber/mactime programs found in Weitse
Venema/Dan Farmer's The Coroner's Toolkit.  I have a write-up on the
steps (feedback from anyone welcome):

        http://staff.washington.edu/dittrich/misc/forensics/
        http://staff.washington.edu/dittrich/talks/blackhat/

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

Current thread:

rpc.statd exploit? Dave (Aug 18)
- Re: rpc.statd exploit? azimuth (Aug 18)
  - Re: rpc.statd exploit? Dave Dittrich (Aug 21)
- <Possible follow-ups>
- Re: rpc.statd exploit? Fernando Cardoso (Aug 18)