SUMMARY: Suspecious statd error messages on 2.5/2.5.1 machines

From: James Kwong (kwong@solar.acast.nova.edu)
Date: Tue Apr 07 1998 - 16:56:50 CDT


Dear Sun Managers,

Thanks for all the responses from the following people:
        Bob Rahe
        Casper Dik
        Chris Liljenstolpe
        David Mitchell
        Gregory Coleman
        Heidi Burgiel
        James Hsieh
        Jamie Lawrence
        Joel Lee
        Marc Newman
        Marc S. Gibian
        Mark Bergman
        Nikos George
        Rachel Polanskis
        Ronald Loftin
        Thomas Anders
        foster@bial1.ucsd.edu
(excuse me if I miss anyone)

My Original Question:

>> A couple of our 2.5/2.5.1 machines got the following in /var/adm/messages
>> yesterday. When I compared it with another 2.4 machine, I got a similar
>> but slightly different message. Has anyone seen this before?

>> On Solaris 2.5/2.5.1 machines:
>> /var/adm/messages:Apr 5 06:20:21 machine1 statd[145]: attempt to create
>> "/var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/.nfs09 D H $ $ $ $ ` O * * * * # # P *` c 6) # # ; # XbinXsh tirdwr "
>> On a Solaris 2.4 machine:
>> /var/adm/messages:Apr 5 16:46:24 scis statd[131]: statd: open of
>> /var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.., error Invalid argument
>>
>> P.S. 103468-03 statd patch has been applied on these 2.5/2.5.1 machines.
>> Are there some other patches that I need to install too?

In short almost all of the replies mentioned that our system is under
attacked by the buffer overflow bug in statd. :( The patches for this
statd exploit for sparc are 104166-03 for 2.5.1, 103468-03 for 2.5
and 102769-04 for 2.4.

A few recommended that I should read www.cert.org for advice and
the readings from:

        ftp.cert.org/pub/cert_advisories/CA-97.26.statd

Casper mentioned that the patch I installed (103468-03) should protect us
against the attack.

Also, as pointed out by James Hsieh in section IV.B of

        http://www.sdsc.edu/Security/public_bulletins/96.03.rpc.statd

it described the exact same error message that I posted. This section
mentioned that only those who has tcp_wrappers and the 'logging portmapper'
(?) will see the attack in the normal log files like /var/adm/messages.
Otherwise, you might never see the attack in any normal system logs.

Thanks again.

- James.

+---------------------------------+----------------------------------+
| Unix System Administrator | James Kwong 954-262-4906 |
| Nova Southeastern University | kwong@solar.acast.nova.edu |
+---------------------------------+----------------------------------+



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:36 CDT