Re: [fw-wiz] rpc.statd message log

• Previous message: Melson, Paul: "RE: [fw-wiz] rpc.statd message log"
• Maybe in reply to: Robert E. Martin: "[fw-wiz] rpc.statd message log"
• Next in thread: Melson, Paul: "RE: [fw-wiz] rpc.statd message log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: PMelson@analysts.com
Date: Thu, 24 Apr 2003 13:32:53 -0400

PMelson@analysts.com wrote:

>That all depends. Is the box in question Linux or Solaris on x86? Is the
>version of statd on it known to be vulnerable? All you've captured is an
>attempt to exploit a known buffer overflow in rpc.statd. This could be a
>targeted attack, but it also could be one of a handful of worms that exploit
>this vulnerability (Lion[1] and Adore[2] are two that I am aware of).
>
>PaulM
>
>1. http://www.sans.org/y2k/lion_protection.htm
>2. http://www.ciac.org/ciac/bulletins/l-067.shtml
>
>
>
>
>
>> -----Original Message-----
>>I believe that the machine has been compromised, but do not find any
>>trace using cert.org recommended Intruder Detection Checklist. I have
>>stopped the rpc.statd service, since we don't use this at ALL!
>>http://www.kb.cert.org/vuls/id/34043
>>Any thoughts? Anyone?
>>
>>
>
>
>
>
>
This is a Linux Red Hat 7.2 with all the latest patches working as a
port forw box for our schools web server. This really is a low usage
machine, compared to you big boys, and I have scanned it with a demo
version of Retina. The results were great, as far as I can tell, in
terms of open and shut ports. After I closed off the portmap service,
the only port open now is 22 for ssl. Since yesterday, I have not seen
this message in the logs. Amazing what a little maintenance will do.

-- 
Robert E Martin
IT Manager
Fishburne Military School
rmartin@fishburne.org
540.946.7726
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Melson, Paul: "RE: [fw-wiz] rpc.statd message log"
• Maybe in reply to: Robert E. Martin: "[fw-wiz] rpc.statd message log"
• Next in thread: Melson, Paul: "RE: [fw-wiz] rpc.statd message log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [EXPL] Oracle9iAS Web Cache Multiple DoS and Buffer Overflow ... Oracle9iAS Web Cache Multiple DoS and Buffer Overflow ... Port 1100 = Incoming web cache proxy. ... Download patch from Oracle's support website, ... (Securiteam) [Full-Disclosure] GateKeeper Pro 4.7 buffer overflow ... there is a trivial buffer overflow in the web proxy. ... version can be checked from the administration service (default port 2000). ... Any use of this information is at the user's own risk. ... (Full-Disclosure) GateKeeper Pro 4.7 buffer overflow ... there is a trivial buffer overflow in the web proxy. ... version can be checked from the administration service (default port 2000). ... Any use of this information is at the user's own risk. ... (Bugtraq) GateKeeper Pro 4.7 buffer overflow ... there is a trivial buffer overflow in the web proxy. ... version can be checked from the administration service (default port 2000). ... Any use of this information is at the user's own risk. ... (Full-Disclosure) FreeBSD Security Notice FreeBSD-SN-02:05 ... Several ports in the FreeBSD Ports Collection are affected by security ... All versions given refer to the FreeBSD port/package version numbers. ... Port name: acroread5 ... Buffer overflow which might be triggered when mpack is used to process ... (FreeBSD-Security)