SUMMARY: Unknown message in /var/adm/messages

From: Lionel Bouchet (lionel@apollo.nuceng.ufl.edu)
Date: Mon Apr 27 1998 - 10:46:04 CDT


This is really a great list!!! After 1 hour, I had already got 5
answers.... After 24 hours, I had 25 answers!!!
Thanks to the following people:

Greg Obremski
Mika Tuupola
Matthew Potter
Gary Trail
Sean Harding
Rachel Polanskis
job bogan
Brian Desmond
Paul H. Yoshimune
Gene Rackow
Mark Henderson
Venu M Middela
James Ford
Chris Marble
Rodney Wines
Ramindur Singh
Brian T. Wightman
Iskander, Tim
Dean Humphrey
Francois Leclerc
Gerald Litteer
Marc S. Gibian
Mark Baldwin
Ramesh Radhakrishnan
Amol Karnik

Summary:

This problem was posted on the sun manager mailing list 3 weeks ago. It
was an attack to my system using the buffer overflow bug in stad (see the
cert advice: ftp.cert.org/pub/cert_advisories/CA-97.26.statd). A patch
just need to be aplly (103468-03 for Solaris 2.5.1), taht you can get from
sunsolve (sunsolve.sun.com/pub-cgi/us/pubpatchpage.pl). There is also a
summary of this bug at :
   http://www.sdsc.edu/Security/public_bulletins/96.03.rpc.statd

I did not find anything wrong on my system. I checked for:
1) strange files in /tmp (such as .nfs.....)
2) files such as : /dev/.errors or /dev/ptya
3) change in creation date for the files:
        /bin/login
        /usr/sbin/in.*
        /lib/libc.so
        files called from inetd
        /etc/rc*.d files
etc... (check the compromise FAQ at:
        http://www.iss.net/vd/compromise.html)
        
4) check all .rhosts file + hosts.equiv
5) check for changes in inetd.conf and services
6) check for all files that have been changed within the suspecting time
for the break-in (find / -ctime -7 -ctime +2 -ls)

7) and I finally rebooted my computer.

You can check what to do at the following adress in case of break in:
        http://www.iss.net/vd/compromise.html

Lionel

Here is my original question:

Hello sun managers,
 
I got an unknown strange message in /var/adm/messages. Could someone
give me a clue about it??
 
Thanks,
 
Lionel
 
THE MESSAGE:
 
Apr 25 13:31:23 apollo statd[135]: attempt to create
"/var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../../../../../../../../../.
./../../../../../../../../../../../../../../../../../../../../../../../../../../
../..//../../../../../../../../../../../../../../../../../../../../../../../../.
./../../../../../../../../../../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../tmp/.nfs09 D H $ $ $ $
         ` O * * * * # # P *` c 6
                ) # # ;
#
          XbinXsh tirdwr "
Apr 25 14:03:18 apollo statd[135]: attempt to create
"/var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../../../../../../../../../.
./../../../../../../../../../../../../../../../../../../../../../../../../../../
../..//../../../../../../../../../../../../../../../../../../../../../../../../.
./../../../../../../../../../../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../tmp/.nfs09 D H $ $ $ $
         ` O * * * * # # P *` c 6
                ) # # ;
#
          XbinXsh tirdwr "
 
 
 



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:39 CDT