Re: [Fwd: rpc.statd hacking but firewalled]

To: hanasaki <hanasaki@microlink.net>
Cc: Debian-Firewall List <debian-firewall@lists.debian.org>
Subject: Re: [Fwd: rpc.statd hacking but firewalled]
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Mon, 12 Mar 2001 11:28:29 +0100 (CET)
Message-id: <Pine.LNX.4.21.0103121111210.6326-100000@capitanata.ca.astro.it>
In-reply-to: <3AAC4D47.31F25CBA@microlink.net>

On Sun, 11 Mar 2001, hanasaki wrote:

> The following showed up in my syslog the other day.... Is this possbile
> hacking?

(crack attempt log omitted...)

yes, it is an attempt to exploit a buffer overflow in rpc.statd to get a
root shell. If you suspect that rpc.statd was vulnerable (this is an old
vulnerability that got fixed in debian long ago, but did you install the
fixed packages?), turn off that computer, take it off line, reboot off a
trusted medium (i.e. a recovery cd or floppy) with trusted kernel and
system utilities, and carefully check it. If you have recent backups of
your configuration and user files (before the crack, if you think you were
indeed cracked), reinstall the system from scratch and restore the
backups. It will probably be faster than painstakingly check and clean the
compromised host for hidden backdoors and the like, and it will be surely
be safer.

Anyway, before embarking in a reinstall & restore from backups, do check
whether the host was indeed compromised. If you were diligent in applying
debian security updates, you were (and are) safe from this particular
attack (and just about all known root exploits against debian, thanks to
the great work done by the debian security team). 

Anyway, if you are able to trace the origin of the attempted attack from
your logs, do check with the whois database who is responsible for the
source IP number, send him/her a mail and a log excerpt showing the
attempted attack and ask him/her to take the appropriate steps to prevent
such things for the future. He/she will probably thank you, as he/she is
likely to find out that the source host was compromised as well.

Bye, good luck
Giacomo

_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________

OSSERVATORIO  ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

Reply to:

References:
- [Fwd: rpc.statd hacking but firewalled]
  - From: hanasaki <hanasaki@microlink.net>

Prev by Date: Re: [Fwd: rpc.statd hacking but firewalled]
Next by Date: Re: SNAT vs Forwarding
Previous by thread: Re: [Fwd: rpc.statd hacking but firewalled]
Next by thread: Masquerading IPSec?
Index(es):
- Date
- Thread