Security Incidents mailing list archives
Re: A statd exploit?
From: Ejovi Nuwere <ejovi () EJOVI NET>
Date: Fri, 18 Aug 2000 11:46:20 -0400
You can check /var/spool/calendar to see if the statd exploit succeeded or not. Do a grep for bin or just view the files in that directory, if you so anything that looks like the message from /var/adm/messages the attack succeeded. Sounds like your friend was hacked awhile ago and the attacker has been playing around on his machine and for some reason decided to reboot it, maybe by mistake, maybe to install a trojan. I suggest your friend rebuilds the machine in question and contact the attacking service provider. On Tue, 15 Aug 2000, Randy Nethers wrote:
Yesterday, a friend of mine from a local university asked me to take a look at a machine (an Ultra 2 w/Solaris 2.6) which had rebooted itself yesterday morning (Aug 14th) for no apparent reason. After poking around, I could find nothing of interest, except two things. First I found in /var/adm/messages.0 the following line: Aug 12 00:58:07 ultra2 statd[178]: statd: attempt to create "/var/statmon/sm/%0 8x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055 x%n%012x%n%0192x%nK^v ^( ^ ^. #^1 F'F* FF+, NV1@/bin/sh -c echo "9088 stream tc p nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd /tmp/m;" Also, this single entry in the messages file is the only message in any of the log files from Aug 12, which I find strange. (There are lots of messages in /var/log/syslog from the Saturday before, but none for Aug 12, for instance regarding emails going to and from the machine.) The reboot occured at about 9:30 am, just before people at the office where the machine is located started using it. The machine has Oracle on it. I was wondering if this might have anything to with the rpc.statd exploit discussed earlier on this list where a user found a file called /tmp/bob. I looked, but obviously, with the machine having been rebooted, there would be nothing in /tmp. Anybody have any ideas? Thanks, Randy Nethers
Current thread:
- A statd exploit? Randy Nethers (Aug 18)
- Re: A statd exploit? Andreas Östling (Aug 18)
- Re: A statd exploit? Ejovi Nuwere (Aug 18)