Re: rpc.statd attack?
crusius@stanford.edu writes:
> I got the following (alarming) messages on syslog:
>
> Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together
> Jan 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for ^X\xf7\xff\xbf^X\xf7[snip]
> Jan 8 13:34:23 yuban \xc7^F/bin\xc7F^D/shA0\xc0\210F^G\211v^L\215V^P\215N^L[snip]
>
> it looks like an attack (specially when I see /bin/sh hidden in there). I
> searched the lists and it seems that this problem should have been
> corrected before potato was released. Any reason for worries, or is there
> any reason why I should think it was an unsuccessful attack?
I don't know that there wasn't a more recent vulnerability in rpc.statd
after potato, but I carry no authority in suggesting one way or another.
The above *does* look suspiciously like you've been cracked, though. You
should know the drill: take offline, copy disk off to backup/forensic
storage, blank and reinstall. Look through the forensic copy for
changes to inetd, inittab and login.
~Tim
--
The light of the world keeps shining, |piglet@glutinous.custard.org
Bright in the primal glow |http://piglet.is.dreaming.org
Reply to: