Security Incidents mailing list archives

Re: two machines hack through rpc.statd

From: Timothy Lyons <Timothy.Lyons () PREDICTIVE COM>
Date: Wed, 7 Mar 2001 15:21:01 -0500

Vegard Svanberg <vegard () SVANBERG NO>
Sent by: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
03/07/2001 08:47
Please respond to Vegard Svanberg

        To:     INCIDENTS () SECURITYFOCUS COM
        cc:
        Subject:        two machines hack through rpc.statd

<SNIP>
Here's the hostnames/IP addresses he came from:

Vogz[9590]: LOGIN ON pts/2 BY Vogz FROM cx589008-a.vista1.sdca.home.com
xinetd[8755]: START: reg pid=9614 from=63.198.203.190

In addition, I am wondering how I should handle this further, and IF
I should..  I am currently located in Europe while he is probably in the
US or something, hacking from a rooted *DSL-machine..  Any tips and
recommendations is appreciated.

</SNIP>

You are probably right that the machine in your logs is a compromised
host, but sending the details of the incident to abuse () home com would not
hurt.  @Home is fairly good about responding to incidents such as this and
at the very least the subscriber box that is being used to initiate the
attacks could be brought offline until such time as it has been repaired.
Make sure you reference the exact times and the timezone your logs are
maintained in when submitting your report.

A scan of the hostname you referenced produced the following output:
Port       State       Service
21/tcp     open        ftp
25/tcp     open        smtp
110/tcp    open        pop-3
119/tcp    open        nntp
137/tcp    filtered    unknown
138/tcp    filtered    unknown
139/tcp    filtered    unknown
1080/tcp   open        socks

Port       State       Service
137/udp    open        unknown
138/udp    open        unknown
139/udp    open        unknown

Remote operating system guess: Windows NT4

This could be erroneous depending on the DHCP lease times @home uses for
their clients.  from the hostname, one can only assume we are dealing with
a cable/dsl subscriber in the SanDiego, CA area (sdca.home.com).

As for tips, Just the usual "don't run rpc.statd unless necessary and
ensure you have the appropriate firewalling and ACL's in place to enhance
the security of your system" would apply.

--Tim

Current thread:

two machines hack through rpc.statd Vegard Svanberg (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)
  - Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- <Possible follow-ups>
- Re: two machines hack through rpc.statd Timothy Lyons (Mar 07)
- Re: two machines hack through rpc.statd Justin Shore (Mar 07)