Re: two machines hack through rpc.statd

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Wed, 7 Mar 2001, Vegard Svanberg wrote:

> I admin two servers who was recently hacked.  They were just installed
> with RH7 and really not important (and not in production) so there was
> no big deal.

What is your evidence that he got in via rpc.statd?  There are no known
rpc.statd holes that ship with Red Hat 7.0.

>  However, that is not an excuse for hacking them, so I'd
> like to report this guy to his local police so they could lock him up in
> jail where he belongs.

I think you'll need some logs documenting the original intrusion.  The
login after the fact might be enough.  Do you have an estimate of damages
that you have suffered?  I.e. a Dollar (Euro) amount.

> 2.  Fetched a package (secure.tar.gz) containing some scripts to clear
>     the logs and a couple of RPMs to fix a couple of security holes.
> 3.  Patched rpc.statd.
> 4.  Configured inetd to run /bin/sh at port 666.  He firewalled the
>     port.
> 5.  Ran a script ("g.sh" also known as "gh0st.sh") to wipe the logs.

Will you be making the files available?  If it is RH7, I'd be curious as
to what the rpc.stad patch was.

                                        Ryan