|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: The rpc.statd exploit is more common than you think...
From: Avery Payne (apayne
PCFRUIT.COM)Date: Fri Oct 27 2000 - 10:25:02 CDT
- Next message: Ryan Yagatich: "linux - Check"
- Previous message: Isiah Lau: "Re: port 511. help needed."
- In reply to: Eagle C. Huang: "Re: port 511. help needed."
- Next in thread: Frank J Miles: "For security disable everything that you don't need."
- Reply: Avery Payne: "The rpc.statd exploit is more common than you think..."
- Reply: Frank J Miles: "For security disable everything that you don't need."
- Reply: Andy Wallace: "Re: The rpc.statd exploit is more common than you think..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: "Eagle C. Huang" <demomms5.hinet.net>
To: <FOCUS-LINUXSECURITYFOCUS.COM>
Sent: Thursday, October 26, 2000 3:57 AM
Subject: Re: port 511. help needed.
> I recently found one of my friend's linux servers had been hacked via port
> 111 (rpc.statd ?)
> The hacker replaced ls, find, netstat, ps... in this system tried to hide
> some ssh deamon
> which used port 511 for backdoor.
> Try using
> #strings ls
> command to check if there's some weird entry point to a hidden file (such
as
> /usr/src/.puta ).
> In that file you will find hacker's direcrtories or files.
>
> Sorry for my poor English.
I've seen a variant of this, but at a different port. It does appear to be
an exploit of the rpc.statd program, and is related to the buffer overflow
advisory that was released not too long ago.
The variant I saw bound to port 31232 and left a rootshell running. The
hidden files in this case were in /dev/sdc/.nis01; also check your rc.d
files as there will be a new line in one of them that restarts the backdoor
upon reboot. Also look for fake in.* daemons in /usr/sbin. As far as I can
tell there was no password catcher but it did seem like there were
provisions
for one.
The kit is removed with a **clean copy** of rpm and your Red Hat CD. Mount
your cd on /mnt/cdrom, then cd /mnt/cdrom. Use
RedHat/instimage/usr/bin/rpm -Uvh --force findutils-4.1-32.i386.rpm\
sh-utils-2.0-1.i386.rpm fileutils-4.0-8.i386.rpm\
binutils-2.9.1.0.23-6.i386.rpm net-tools-1.53-1.i386.rpm
to clean up the mess. After the force re-install of the correct utilities
and the cleanup of your rc.* files, be sure to change your root password. A
clean copy of 'ps' will also reveal a daemon running that wasn't there
before;
kill it (it's the same one that you'll find in /usr/sbin).
I've put a portscan detector at port 111 and there is ALOT of traffic
probing it; I get anywhere from 2-3 scans a week, to 3 scans a *day* looking
for this exploit. It appears to be fairly popular...
- Next message: Ryan Yagatich: "linux - Check"
- Previous message: Isiah Lau: "Re: port 511. help needed."
- In reply to: Eagle C. Huang: "Re: port 511. help needed."
- Next in thread: Frank J Miles: "For security disable everything that you don't need."
- Reply: Avery Payne: "The rpc.statd exploit is more common than you think..."
- Reply: Frank J Miles: "For security disable everything that you don't need."
- Reply: Andy Wallace: "Re: The rpc.statd exploit is more common than you think..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]