LinuxSA Mailing list archives

  From: Alan Kennington <akenning@topology.org>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Thu, 26 Apr 2001 10:50:51 +0930

Re: Trojan? Cracker?

On Wed, Apr 25, 2001 at 11:31:07PM +0000, James Mclean wrote:
>
> Has my box been rooted? I am getting strange output in /var/log/messages,
[...]
>
> Apr 22 22:12:00 helium 173>Apr 22 22:12:00 /sbin/rpc.statd[156]: gethostbyname
> error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x
[...]

James,

My guess is that this is just a remote hack attempt, which is designed to
wrok for a version of statd which you do not have.
I.e. you're probably just seeing the symptoms of the statd
process on your machine correctly rejecting the garbage
which it ahs been sent.
If they had succeeded, you would not have seen the messages.

But in your situtation, if the attempts are continuing, I'd
run tcpdump to log the attempts.
E.g.

tcpdump -i ppp0 -w stat1.tcp tcp port 15 &

or whatever the port is that your statd process uses.
(Run netstat -vat or netstat -vatn to get this info.)

Once you have the IP address of the perpetrator, look it up
with "dig -x IP-address" and report it to the network
administrator of the attacker.

But personally, I don't see any value in allowing your
statd process to give info to the whole world.
Why not just hide it behind a firewall?
In fact, do you use it at all yourself?
I have about 8 machines on the net with no statd.
As far as I know....

Cheers,
Alan Kennington.
                         

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject