Security Incidents mailing list archives
Re: two machines hack through rpc.statd
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Wed, 7 Mar 2001 15:11:23 -0700
On Wed, 7 Mar 2001, Vegard Svanberg wrote:
I admin two servers who was recently hacked. They were just installed with RH7 and really not important (and not in production) so there was no big deal.
What is your evidence that he got in via rpc.statd? There are no known rpc.statd holes that ship with Red Hat 7.0.
However, that is not an excuse for hacking them, so I'd like to report this guy to his local police so they could lock him up in jail where he belongs.
I think you'll need some logs documenting the original intrusion. The login after the fact might be enough. Do you have an estimate of damages that you have suffered? I.e. a Dollar (Euro) amount.
2. Fetched a package (secure.tar.gz) containing some scripts to clear the logs and a couple of RPMs to fix a couple of security holes. 3. Patched rpc.statd. 4. Configured inetd to run /bin/sh at port 666. He firewalled the port. 5. Ran a script ("g.sh" also known as "gh0st.sh") to wipe the logs.
Will you be making the files available? If it is RH7, I'd be curious as to what the rpc.stad patch was. Ryan
Current thread:
- two machines hack through rpc.statd Vegard Svanberg (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- <Possible follow-ups>
- Re: two machines hack through rpc.statd Timothy Lyons (Mar 07)
- Re: two machines hack through rpc.statd Justin Shore (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)