Re: RPC EXPLOIT statdx

From: Brian (brea@physiometrics.SPAM.ONLY.HELPS.A.BUSINESS.FAIL.net)
Date: 01/23/02 

From: "Brian" <brea@physiometrics.SPAM.ONLY.HELPS.A.BUSINESS.FAIL.net>
To: "John Stauffacher" <stauffacher@chapman.edu>, <incidents@securityfocus.com>
Date: Wed, 23 Jan 2002 12:40:21 -0500

i'm seeing more port 111 hits lately, too. cn.net, snet.net, elim.net...
that last one's mexico. i think i also had a dialogue with some isp in
italy about rpc probes, too. yes, i'm certainly seeing more... more FTP than
usual, too, frankly.

my main surprise was a HUGE burst of Nimda and other port 80 nonsense
yesterday and today.

Brian Rea
Senior Network Engineer
PhysioMetrics

----- Original Message -----
From: John Stauffacher <stauffacher@chapman.edu>
To: <incidents@securityfocus.com>
Sent: Tuesday, January 22, 2002 21:05
Subject: RPC EXPLOIT statdx

> In the past few days my firewall has picked up a surge of rpc related
> exploits (statdx) coming from the UK and various other off-shore sites.
> Anyone else see any strange rpc related activity, or am I just suddenly
> the target of pissed off script kiddies.
>
>
> ++
> John Stauffacher
> Network Administrator
> Chapman University
> stauffacher@chapman.edu
> 714-628-7249
>
> -----Original Message-----
> From: Vladimir Ivaschenko [mailto:hazard@francoudi.com]
> Sent: Tuesday, January 22, 2002 1:43 PM
> To: incidents@securityfocus.com
> Subject: optic rootkit (was Re: xsf/xchk)
>
> By using "strings" I have found that changed binaries to point to
> files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo,
> the name of the rootkit is "Optic Kit". I couldn't find anything
> about it using Google. If somebody is interested, I can share
> needed information and the rootkit itself. I have made a copy of
> the rookit-related files that I found. wtmp was removed, and
> /var/log/messages was cleaned to remove references about attacker
> - e.g. FTP "connection opened" messages.
>
> We are going to reinstall the system, so please email me ASAP if
> you're interested to know any additional details.
>
> Vladimir Ivaschenko wrote about "xsf/xchk":
>
> > Hi,
> >
> > Today a RedHat 7.1 Linux machine of my friend was compromised.
> > I have just started investigating, so I don't have any
> > information of how it was done. After attack login via console
> > stopped working.
> >
> > I have found the following files in /usr/bin: xchk and xsf. They
> > are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon
> > sitting on port 14859. I don't know what is the purpose of xchk.
> > killall and ps were also replaced by programs which hide xsf and
> > xchk.
> >
> > Does anyone saw something similar before and can point me to some
> > information? I tried searching for xsf / xchk in Google and
> > didn't have any results.
> >
> > --
> > Best Regards
> > Vladimir Ivaschenko
> > Certified Linux Engineer (RHCE)
>
> --
> Best Regards
> Vladimir Ivaschenko
> Certified Linux Engineer (RHCE)
>
> ------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
> -------------------------------------------------------------------------- 

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: A small quandary
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • RE: Anyone seen this before?
    ... The answer to this is, in task manager, you can right click on any app ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Code Red - A Possible Origin?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Code Red - A Possible Origin?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: fbi.gov weirdness?
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)