This is really a great list!!! After 1 hour, I had already got 5
answers.... After 24 hours, I had 25 answers!!!
Thanks to the following people:
Greg Obremski
Mika Tuupola
Matthew Potter
Gary Trail
Sean Harding
Rachel Polanskis
job bogan
Brian Desmond
Paul H. Yoshimune
Gene Rackow
Mark Henderson
Venu M Middela
James Ford
Chris Marble
Rodney Wines
Ramindur Singh
Brian T. Wightman
Iskander, Tim
Dean Humphrey
Francois Leclerc
Gerald Litteer
Marc S. Gibian
Mark Baldwin
Ramesh Radhakrishnan
Amol Karnik
Summary:
This problem was posted on the sun manager mailing list 3 weeks ago. It
was an attack to my system using the buffer overflow bug in stad (see the
cert advice: ftp.cert.org/pub/cert_advisories/CA-97.26.statd). A patch
just need to be aplly (103468-03 for Solaris 2.5.1), taht you can get from
sunsolve (sunsolve.sun.com/pub-cgi/us/pubpatchpage.pl). There is also a
summary of this bug at :
http://www.sdsc.edu/Security/public_bulletins/96.03.rpc.statd
I did not find anything wrong on my system. I checked for:
1) strange files in /tmp (such as .nfs.....)
2) files such as : /dev/.errors or /dev/ptya
3) change in creation date for the files:
/bin/login
/usr/sbin/in.*
/lib/libc.so
files called from inetd
/etc/rc*.d files
etc... (check the compromise FAQ at:
http://www.iss.net/vd/compromise.html)
4) check all .rhosts file + hosts.equiv
5) check for changes in inetd.conf and services
6) check for all files that have been changed within the suspecting time
for the break-in (find / -ctime -7 -ctime +2 -ls)
7) and I finally rebooted my computer.
You can check what to do at the following adress in case of break in:
http://www.iss.net/vd/compromise.html
Lionel
Here is my original question:
Hello sun managers,
I got an unknown strange message in /var/adm/messages. Could someone
give me a clue about it??
Thanks,
Lionel
THE MESSAGE:
Apr 25 13:31:23 apollo statd[135]: attempt to create
"/var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../../../../../../../../../.
./../../../../../../../../../../../../../../../../../../../../../../../../../../
../..//../../../../../../../../../../../../../../../../../../../../../../../../.
./../../../../../../../../../../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../tmp/.nfs09 D H $ $ $ $
` O * * * * # # P *` c 6
) # # ;
#
XbinXsh tirdwr "
Apr 25 14:03:18 apollo statd[135]: attempt to create
"/var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../../../../../../../../../.
./../../../../../../../../../../../../../../../../../../../../../../../../../../
../..//../../../../../../../../../../../../../../../../../../../../../../../../.
./../../../../../../../../../../../../../../../../../../../../../../../../../../
../../../../../../../../../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../tmp/.nfs09 D H $ $ $ $
` O * * * * # # P *` c 6
) # # ;
#
XbinXsh tirdwr "
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:39 CDT