Suspecious statd error messages on 2.5/2.5.1 machines

Dear Sun Managers,

Thanks for all the responses from the following people:

Bob Rahe

Casper Dik

Chris Liljenstolpe

David Mitchell

Gregory Coleman

Heidi Burgiel

James Hsieh

Jamie Lawrence

Joel Lee

Marc Newman

Marc S. Gibian

Mark Bergman

Nikos George

Rachel Polanskis

Ronald Loftin

Thomas Anders

foster@bial1.ucsd.edu

(excuse me if I miss anyone)

My Original Question:

>> A couple of our 2.5/2.5.1 machines got the following in /var/adm/messages

>> yesterday. When I compared it with another 2.4 machine, I got a similar

>> but slightly different message. Has anyone seen this before?

>> On Solaris 2.5/2.5.1 machines:

>> /var/adm/messages:Apr 5 06:20:21 machine1 statd[145]: attempt to create

>> "/var/statmon/sm/////////////////////////////http:////////////////////////////////tmp/.nfs09 D H $ $ $ $ ` O * * * * # # P *` c 6) # # ; # XbinXsh tirdwr "

>> On a Solaris 2.4 machine:

>> /var/adm/messages:Apr 5 16:46:24 scis statd[131]: statd: open of

>> /var/statmon/sm/////////////////////////////http:////////////////////////////http://.., error Invalid argument

>> P.S. 103468-03 statd patch has been applied on these 2.5/2.5.1 machines.

>> Are there some other patches that I need to install too?

In short almost all of the replies mentioned that our system is under

attacked by the buffer overflow bug in statd. :( The patches for this

statd exploit for sparc are 104166-03 for 2.5.1, 103468-03 for 2.5

and 102769-04 for 2.4.

A few recommended that I should read www.cert.org for advice and

the readings from:

ftp.cert.org/pub/cert_advisories/CA-97.26.statd

Casper mentioned that the patch I installed (103468-03) should protect us

against the attack.

Also, as pointed out by James Hsieh in section IV.B of

http://www.sdsc.edu/Security/public_bulletins/96.03.rpc.statd

it described the exact same error message that I posted. This section

mentioned that only those who has tcp_wrappers and the 'logging portmapper'

(?) will see the attack in the normal log files like /var/adm/messages.

Otherwise, you might never see the attack in any normal system logs.

Thanks again.

- James.

+---------------------------------+----------------------------------+

| Unix System Administrator | James Kwong 954-262-4906 |

| Nova Southeastern University | kwong@solar.acast.nova.edu |

+---------------------------------+----------------------------------+

[4219 byte] By [CodeProf.com] at [2007-12-25 10:00:00]

Sun Management Center is a technology site for people who manage Sun Microsystems workstations and servers. It is not moderated, and its smooth operation depends on the good will and co-operation of its members.

Suspecious statd error messages on 2.5/2.5.1 machines

sun managers K New Topic

sun managers K

All Classified