[techtalk] Compromise, perhaps?
Raven, corporate courtesan
damask0 at yahoo.com
Wed Jun 13 13:12:04 EST 2001
Heya --
Quoth Brian:
> The other day whilst I was on vacation, another sys admin noticed
> that check-packages on a machine had been altered, and on that day a
> login via telnet from an unknown ip was detected. This made him
> worry, so I checked it out today, and found this in the logs:
>
> rpc.statd[341]: gethostbyname error for
> ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>[snip a whole
bunch of <90>s]
That's the Ramen worm or one of its knockoffs. You can read all
about it at http://www.sans.org/infosecFAQ/malicious/ramen.htm
> This seems to be evidence of a hack of rpc.statd; some kind of buffer
> overflow, maybe?
Quite. The Ramen worm uses rpc.statd as one of three avenues of
attack to a vulnerable host. However, you may not have actually been
successfully hacked. If you have a recent version of rpc.statd, you
may just see the error without actually getting the buffer overflow.
Are you running wu-ftpd or LPRng on the same host?
> Indeed, I know rpc.statd has holes, but we're supposedly running the
> latest "secure" version.
Do a Google search on "ramen rpc.statd [your version number]" to
see if you're vulnerable.
> The weird thing is, this shows up occasionally in the logs as far
> back as they go (~1 month).
The Ramen worm's been on the loose for a few months, so this isn't
surprising. My firewall at home gets hits on this and the Lion worm
all the time.
> So, I think it's been hacked, but I can't tell how long and/or to
> what extent.
Run MD5 checksums on your binaries and compare them against the
values of what they're supposed to be. Don't trust any of your
binaries on the system; boot from a CD or floppy and use kernel and
binaries from that, and then mount your hard drive as /uhoh or
something.
> I guess I'm just wondering if anyone's ever seen the above error
> from statd without it being related to a hack.
Yep. On a failed hack. [grin]
> I also can't figure out why if it has been compromised for so long
> they only changed the binary this week.
See what else was changed, change the root password immediately,
and portscan and netcat and nmap the machine from a known good host
from outside.
Cheers,
Raven
=====
"Yaaay! I'm all for that! Anything that lessens paperwork!"
"Don't be so quick about that..."
"Okay! Down with I-Time! Boooo!"
-- just another NCC meeting
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
More information about the Techtalk
mailing list