Red Hat Bugzilla – Bug 17498
Remote root access bug thu rpc.rstatd
Last modified: 2008-05-01 11:37:58 EDT
A hacker broke into my freshly installed Redhat 6.2 system using this
exploit. The message logged in /var/log/messages was
rpc.statd: SM_MON request for hostname containing '/':
Following the colon was the data he used to alter the return address of the
call and execute the bits to put an entry into inetd.conf to allow a shell
to run etc. Usual story. I don't think I should responsibly post that
data here. I probably can't anyway because some of the characters aren't
Looks like a buffer overflow problem.
Sorry if I've posted this in the wrong category but I can't find one for
Component for rpc.statd appears to be knfsd-clients ...
Did you have http://www.redhat.com/support/errata/RHSA-2000-043-03.html
I didn't at the time but I do now. They've since tried to get in again via the
same route and they can't so that's solved the problem.