SUMMARY: Suspecious statd error messages on 2.5/2.5.1 machines

James Kwong (kwong@solar.acast.nova.edu)
Tue, 07 Apr 1998 17:56:50 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jonathan.Loh@BankAmerica.com: "SUMMARY: NIS+ problems w/ 1 client"
Previous message: chas: "SUMMARY : But is Solaris the correct platform ? (webserver: which is"

Dear Sun Managers,

Thanks for all the responses from the following people:
Bob Rahe
Casper Dik
Chris Liljenstolpe
David Mitchell
Gregory Coleman
Heidi Burgiel
James Hsieh
Jamie Lawrence
Joel Lee
Marc Newman
Marc S. Gibian
Mark Bergman
Nikos George
Rachel Polanskis
Ronald Loftin
Thomas Anders
foster@bial1.ucsd.edu
(excuse me if I miss anyone)

My Original Question:

>> A couple of our 2.5/2.5.1 machines got the following in /var/adm/messages
>> yesterday. When I compared it with another 2.4 machine, I got a similar
>> but slightly different message. Has anyone seen this before?

>> On Solaris 2.5/2.5.1 machines:
>> /var/adm/messages:Apr 5 06:20:21 machine1 statd[145]: attempt to create
>> "/var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/.nfs09 D H $ $ $ $ ` O * * * * # # P *` c 6) # # ; # XbinXsh tirdwr "
>> On a Solaris 2.4 machine:
>> /var/adm/messages:Apr 5 16:46:24 scis statd[131]: statd: open of
>> /var/statmon/sm//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../..//../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.., error Invalid argument
>>
>> P.S. 103468-03 statd patch has been applied on these 2.5/2.5.1 machines.
>> Are there some other patches that I need to install too?

In short almost all of the replies mentioned that our system is under
attacked by the buffer overflow bug in statd. :( The patches for this
statd exploit for sparc are 104166-03 for 2.5.1, 103468-03 for 2.5
and 102769-04 for 2.4.

A few recommended that I should read www.cert.org for advice and
the readings from:

ftp.cert.org/pub/cert_advisories/CA-97.26.statd

Casper mentioned that the patch I installed (103468-03) should protect us
against the attack.

Also, as pointed out by James Hsieh in section IV.B of

http://www.sdsc.edu/Security/public_bulletins/96.03.rpc.statd

it described the exact same error message that I posted. This section
mentioned that only those who has tcp_wrappers and the 'logging portmapper'
(?) will see the attack in the normal log files like /var/adm/messages.
Otherwise, you might never see the attack in any normal system logs.

Thanks again.

- James.

+---------------------------------+----------------------------------+
| Unix System Administrator | James Kwong 954-262-4906 |
| Nova Southeastern University | kwong@solar.acast.nova.edu |
+---------------------------------+----------------------------------+

Next message: Jonathan.Loh@BankAmerica.com: "SUMMARY: NIS+ problems w/ 1 client"
Previous message: chas: "SUMMARY : But is Solaris the correct platform ? (webserver: which is"