Re: RPC EXPLOIT statdx

["Brian" <brea () physiometrics SPAM ONLY HELPS A BUSINESS FAIL net>]

i'm seeing more port 111 hits lately, too.  cn.net, snet.net, elim.net...
that last one's mexico.  i think i also had a dialogue with some isp in
italy about rpc probes, too. yes, i'm certainly seeing more... more FTP than
usual, too, frankly.

my main surprise was a HUGE burst of Nimda and other port 80 nonsense
yesterday and today.

Brian Rea
Senior Network Engineer
PhysioMetrics


----- Original Message -----
From: John Stauffacher <stauffacher () chapman edu>
To: <incidents () securityfocus com>
Sent: Tuesday, January 22, 2002 21:05
Subject: RPC EXPLOIT statdx


> In the past few days my firewall has picked up a surge of rpc related
> exploits (statdx) coming from the UK and various other off-shore sites.
> Anyone else see any strange rpc related activity, or am I just suddenly
> the target of pissed off script kiddies.
>
>
> ++
> John Stauffacher
> Network Administrator
> Chapman University
> stauffacher () chapman edu
> 714-628-7249
>
> -----Original Message-----
> From: Vladimir Ivaschenko [mailto:hazard () francoudi com]
> Sent: Tuesday, January 22, 2002 1:43 PM
> To: incidents () securityfocus com
> Subject: optic rootkit (was Re: xsf/xchk)
>
> By using "strings" I have found that changed binaries to point to
> files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo,
> the name of the rootkit is "Optic Kit". I couldn't find anything
> about it using Google. If somebody is interested, I can share
> needed information and the rootkit itself. I have made a copy of
> the rookit-related files that I found. wtmp was removed, and
> /var/log/messages was cleaned to remove references about attacker
> - e.g. FTP "connection opened" messages.
>
> We are going to reinstall the system, so please email me ASAP if
> you're interested to know any additional details.
>
> Vladimir Ivaschenko wrote about "xsf/xchk":
>
> > Hi,
> >
> > Today a RedHat 7.1 Linux machine of my friend was compromised.
> > I have just started investigating, so I don't have any
> > information of how it was done. After attack login via console
> > stopped working.
> >
> > I have found the following files in /usr/bin: xchk and xsf. They
> > are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon
> > sitting on port 14859. I don't know what is the purpose of xchk.
> > killall and ps were also replaced by programs which hide xsf and
> > xchk.
> >
> > Does anyone saw something similar before and can point me to some
> > information? I tried searching for xsf / xchk in Google and
> > didn't have any results.
> >
> > --
> > Best Regards
> > Vladimir Ivaschenko
> > Certified Linux Engineer (RHCE)
>
> --
> Best Regards
> Vladimir Ivaschenko
> Certified Linux Engineer (RHCE)
>
> ------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com