rpc.statd loaded on redhat 7.0 is vunerable

locked down a ftp server that the french hoodlums hosed via anonymous ftp. Turned off nfs etc but forgot to turn off rpc.statd. Got a call on monday asking if I had added a user called admin with a uid of 0. OH! SH*T! log files empty ps and a lot of other files changed in bin, ssh session going out port 6006 and I liked the hosts.allow file. Looked entirely normal until I did a cat - vet hosts.allow. 60 carriage returns followed by the the line ALL:ALL:.dk. We back up nightly so found the date of the passwd file change, did a find on all files changed on or after then restored from tape to get the pertinent logs. Got the little bastard. logged in from a c class network, got his ippaddress and his resolved name which was a ip hanging off of a adsl modem in Denmark. Now that id could have been a university address or whatever but a ftp session was started on Sept 27th and denied because we had turned off anonymous. Must have pissed him off because the logs show continuous bufferoverun on rpc.statd from there till he got in and put in a root kit. After rooting the box he did a telnet from the same resolved name and was mucking in the system. Gave the harddrive to security for Munich Legal and rebuilt from scratch making sure we went by a checklist this time to turn it all off.

thanx,
bill

Post #13,139 by boxley 10/12/01 12:43:25 PM Reply	rpc.statd loaded on redhat 7.0 is vunerable locked down a ftp server that the french hoodlums hosed via anonymous ftp. Turned off nfs etc but forgot to turn off rpc.statd. Got a call on monday asking if I had added a user called admin with a uid of 0. OH! SH*T! log files empty ps and a lot of other files changed in bin, ssh session going out port 6006 and I liked the hosts.allow file. Looked entirely normal until I did a cat - vet hosts.allow. 60 carriage returns followed by the the line ALL:ALL:.dk. We back up nightly so found the date of the passwd file change, did a find on all files changed on or after then restored from tape to get the pertinent logs. Got the little bastard. logged in from a c class network, got his ippaddress and his resolved name which was a ip hanging off of a adsl modem in Denmark. Now that id could have been a university address or whatever but a ftp session was started on Sept 27th and denied because we had turned off anonymous. Must have pissed him off because the logs show continuous bufferoverun on rpc.statd from there till he got in and put in a root kit. After rooting the box he did a telnet from the same resolved name and was mucking in the system. Gave the harddrive to security for Munich Legal and rebuilt from scratch making sure we went by a checklist this time to turn it all off. thanx, bill tshirt front "born to die before I get old" thshirt back "fscked another one didnja?"
Post #13,202 by a6l6e6x 10/12/01 9:12:58 PM Reply	Good show, Box! Alex Whom the gods wish to destroy, they first make mad. -- Euripides
Post #14,497 by CRConrad 10/21/01 10:07:06 PM Reply	You want some suitably nasty message for him... ...I suppose I can make one up for you in "Scandinavian" -- the kind-of-pidgin (mostly simplified Swedish) Scandahoovians speak when they get together and don't speak each other's language. Or, heck, I could just call him a fucking asshole in Swedish; he'll get that, I assure you. OTOH, you can just do it yourself, in English. Scandahoovians -- especially ones young and computer-literate enough to hack other people's networks -- all speak, read, and write it. Christian R. Conrad The Man Who Knows Fucking Everything
Post #14,505 by boxley 10/21/01 10:54:58 PM Reply	if he didnt understand duey.sieweb.com warning message maybe a little scandihoovian might get the point that we know where the little bastard lives.:) thanx, bill tshirt front "born to die before I get old" thshirt back "fscked another one didnja?"

Welcome to IWETHEY!