Re: rpc.statd attack?

To: crusius@stanford.edu
Cc: debian-security@lists.debian.org
Subject: Re: rpc.statd attack?
From: Tim Haynes <piglet@glutinous.custard.org>
Date: 09 Jan 2001 21:51:20 +0000
Message-id: <[🔎] 87zoh0gzs7.fsf@straw.pigsty.org.uk>
Reply-to: Tim Haynes <piglet@glutinous.custard.org>
In-reply-to: crusius@stanford.edu's message of "Tue, 09 Jan 2001 12:31:59 -0800"
References: <[🔎] E14G5R1-0000HG-00@spoke.Stanford.EDU>

crusius@stanford.edu writes:

> I got the following (alarming) messages on syslog:
> 
> Jan  8 13:34:23 yuban syslogd: Cannot glue message parts together
> Jan  8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for ^X\xf7\xff\xbf^X\xf7[snip]
> Jan  8 13:34:23 yuban \xc7^F/bin\xc7F^D/shA0\xc0\210F^G\211v^L\215V^P\215N^L[snip]
> 
> it looks like an attack (specially when I see /bin/sh hidden in there). I
> searched the lists and it seems that this problem should have been
> corrected before potato was released. Any reason for worries, or is there
> any reason why I should think it was an unsuccessful attack?

I don't know that there wasn't a more recent vulnerability in rpc.statd
after potato, but I carry no authority in suggesting one way or another.

The above *does* look suspiciously like you've been cracked, though. You
should know the drill: take offline, copy disk off to backup/forensic
storage, blank and reinstall. Look through the forensic copy for
changes to inetd, inittab and login.

~Tim
-- 
The light of the world keeps shining,           |piglet@glutinous.custard.org
Bright in the primal glow                       |http://piglet.is.dreaming.org

Reply to:

References:
- rpc.statd attack?
  - From: crusius@stanford.edu

Prev by Date: rpc.statd attack?
Next by Date: Re: rpc.statd attack?
Previous by thread: rpc.statd attack?
Next by thread: Re: rpc.statd attack?
Index(es):
- Date
- Thread