From Bugzilla Helper: User-Agent: Mozilla/4.72 [en] (X11; U; Linux 2.2.17-14 i686) I was hacked a few weeks ago using a rpc.rstatd remote root exploit. It was a script-kiddie job, so the exploit must be well known, yet I don't see anything about it on your errata pages. Reproducible: Always Steps to Reproduce: 1. Leave rpc.rstatd daemon running 2. Wait for script kiddie port scan 3. Get hacked I don't seem to be able to get cut and paste to work right now. I can email the /var/log/messages file, which shows the sequence of the hack. The important line was an rpc.rstatd error: gethostbyname error followed by garbage, which I'm assuming is a buffer overrun.
rpc.rstatd or rpc.statd? (They're two very different things.)
Oops. Yes, it is rpc.statd. Basically, I did a search on the Redhat 6.2 errata/security web page for "nfs" and "statd", and didn't see anything. I also used the search box from the main Redhat web page to search for rpc.statd, and didn't get any links to exploit info. The /var/log/messages line was rpc.statd[357]: gethostbyname error for <garbage> followed by new accounts being created and passwords being changed.
You are right, the nfs-utils errata is not listed (anymore?) on www.redhat.com webpage, although it is available. ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm In the last months I see more and more discrepancies in the listed errata advisories. Newest glitch: vim errata listed twice. Many new advisories list "Affected: 5.2, 6.2, 7.0" altough all 6.x releases are affected (and errata packages are build with a .6x. name).
I have a question. This concerns RH 7.0. I am working on a new worm that takes advantage of the rpc statd exploit for 6.2. A gentleman had his 7.0 machine rooted, and the only service that we can find is rpc statd Is there something I am missing? All that the errata says is that it affects 6.2. Any help would be appreciated. I can drop you guys off the source for this new worm Variant of Ramen and Lion. Matt
Bob, this has been addressed by errata, correct?
Yes. Errata mentioned above covers 6.2. The fix has been in since 7.0.