[techtalk] Compromise, perhaps?

Raven, corporate courtesan damask0 at yahoo.com
Wed Jun 13 13:12:04 EST 2001 

Heya --

Quoth Brian:
> The other day whilst I was on vacation, another sys admin noticed
> that check-packages on a machine had been altered, and on that day a
> login via telnet from an unknown ip was detected.  This made him
> worry, so I checked it out today, and found this in the logs:
> 
> rpc.statd[341]: gethostbyname error for
> ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>[snip a whole
bunch of <90>s]

     That's the Ramen worm or one of its knockoffs.  You can read all
about it at http://www.sans.org/infosecFAQ/malicious/ramen.htm
  
> This seems to be evidence of a hack of rpc.statd; some kind of buffer
> overflow, maybe? 

     Quite.  The Ramen worm uses rpc.statd as one of three avenues of
attack to a vulnerable host.  However, you may not have actually been
successfully hacked.  If you have a recent version of rpc.statd, you
may just see the error without actually getting the buffer overflow. 
Are you running wu-ftpd or LPRng on the same host?

> Indeed, I know rpc.statd has holes, but we're supposedly running the
> latest "secure" version.

     Do a Google search on "ramen rpc.statd [your version number]" to
see if you're vulnerable.
 
> The weird thing is, this shows up occasionally in the logs as far
> back as they go (~1 month).

     The Ramen worm's been on the loose for a few months, so this isn't
surprising.  My firewall at home gets hits on this and the Lion worm
all the time.

> So, I think it's been hacked, but I can't tell how long and/or to
> what extent.

     Run MD5 checksums on your binaries and compare them against the
values of what they're supposed to be.  Don't trust any of your
binaries on the system; boot from a CD or floppy and use kernel and
binaries from that, and then mount your hard drive as /uhoh or
something.

> I guess I'm just wondering if anyone's ever seen the above error
> from statd without it being related to a hack. 

     Yep.  On a failed hack.  [grin]

> I also can't figure out why if it has been compromised for so long
> they only changed the binary this week.

     See what else was changed, change the root password immediately,
and portscan and netcat and nmap the machine from a known good host
from outside.

Cheers,
Raven

=====
"Yaaay!  I'm all for that!  Anything that lessens paperwork!"
"Don't be so quick about that..."
"Okay!  Down with I-Time!  Boooo!"
 -- just another NCC meeting

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

More information about the Techtalk mailing list