Red Hat 7.1 rpc.statd problem

From: Blue Boar (BlueBoar@thievco.com)
Date: 12/05/01 

Date: Wed, 05 Dec 2001 10:31:46 -0800
From: Blue Boar <BlueBoar@thievco.com>
To: vuln-dev@securityfocus.com

I have a question. It may sound a bit more appropriate for Incidents,
but keep reading.

So, I'm running a Red Hat 7.1 box. I intentionally have many services
running, but I applied all the patches from Red Hat during install, and
I apply any new patches within a few hours of them coming out. I have
this a few times in my messages file:

rpc.statd[496]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220

This is fairly common from what I can see. Lots of people report this,
and it appears that this is what you get after the patches have been
applied, and the attack fails. This is the result of a standard exploit,
and I believe also a worm based on that same exploit. There doesn't
appear to be any evidence of a successful intrusion on my box.

So my question is: If this is a patched version, why the heck is it
trying to look up that name? I'm pretty sure that there
isn't someone out there who has that as a reverse name for PTR
records.

Can anyone help clear up my confusion? Is this just a really bad
patch, or is there still room for exploit, or is this the way
it's supposed to work?

                                        BB

Relevant Pages

  • Re: Security: Unpatched and Doing Fine?
    ... Security: Unpatched and Doing Fine? ... statements about Red Hat and Fedora that indicate she's not done a lot ... for your patches just like other commercial software. ... * Fedora also has me stymied. ...
    (Fedora)
  • RE: unusual packet (tcpdump shows): rad-#0 41 [id 0] Attr[
    ... We had were infected with slapper on ... Again we took proper steps in cleaning the ... why I say that Red Hat hasn't patched their packages correctly. ... and since they backport patches for security, ...
    (Incidents)
  • Re: Red Hat 7.1 rpc.statd problem
    ... the bug is gone. ... >> but keep reading. ... I'm running a Red Hat 7.1 box. ... >> I apply any new patches within a few hours of them coming out. ...
    (Vuln-Dev)
  • Re: MONITOR with different architectures
    ... Do you naively think Red Hat releases all of their patches to their public web sites? ... Big Red Flag that you know *squat* about the GPL and how the Linux ... Give a man a fish, and he eats for a day. ...
    (comp.os.vms)
  • Re: Question about getting patches and RedHat Network
    ... > I am new to Red Hat and is consider using RHEL 3 as some simple servers ... > RH and register the copy of RHEL 3 to get patches or updates. ... from Red Hat, it includes registration and an update subscription for a year. ...
    (comp.os.linux.misc)