Vulnerability Development mailing list archives
Re: Red Hat 7.1 rpc.statd problem
From: Fyodor <fygrave () tigerteam net>
Date: Thu, 6 Dec 2001 02:57:30 +0700
On Wed, Dec 05, 2001 at 11:30:57AM -0800, Blue Boar wrote:
Would you post that to the list too, please?
sure ;-) I wrote:
because originally the bug was simple if (cant_lookup_hostname(userdata)) { syslog(userdata); } .. now they fixed it to be: syslog("lookup screwed for: %s\n", userdata); ... so you still seeing the hostname anyway, just since it isn't interpreted as formatted string. the bug is gone. (of course I am not precise with the code, it could be different, but the idea is here). On Wed, Dec 05, 2001 at 10:31:46AM -0800, Blue Boar wrote:I have a question. It may sound a bit more appropriate for Incidents, but keep reading. So, I'm running a Red Hat 7.1 box. I intentionally have many services running, but I applied all the patches from Red Hat during install, and I apply any new patches within a few hours of them coming out. I have this a few times in my messages file: rpc.statd[496]: gethostbyname error for ^XВЪ©^XВЪ©^ZВЪ©^ZВЪ©%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 This is fairly common from what I can see. Lots of people report this, and it appears that this is what you get after the patches have been applied, and the attack fails. This is the result of a standard exploit, and I believe also a worm based on that same exploit. There doesn't appear to be any evidence of a successful intrusion on my box. So my question is: If this is a patched version, why the heck is it trying to look up that name? I'm pretty sure that there isn't someone out there who has that as a reverse name for PTR records. Can anyone help clear up my confusion? Is this just a really bad patch, or is there still room for exploit, or is this the way it's supposed to work? BB
-- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
Current thread:
- Red Hat 7.1 rpc.statd problem Blue Boar (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Chris Ess (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Przemyslaw Frasunek (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Message not available
- Message not available
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Blue Boar (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Fyodor (Dec 05)
- Re: Red Hat 7.1 rpc.statd problem Valdis . Kletnieks (Dec 06)
- Message not available
- Re: Red Hat 7.1 rpc.statd problem Chris Ess (Dec 05)