[lug] Interesting Crash Report
Scott A. Herod
herod at interact-tv.com
Tue Mar 20 17:51:07 MST 2001
I hate to say it, but rpc.statd is the backdoor of choice for
the generic RH 6.2 release. Things to check;
rpm --verify `rpm --query -f \`which netstat\` `
Anything returned is BAD.
Also check, ls, ps, and lsof by replacing "netstat" above with the
Also, look for funny things in /etc/rc.d/rc.local and rc.sysinit.
Also, as root, check the result of "lsof -i". Suspicious
things are sshd's running on numerical ports, esp. anything higher
If anything is wrong, esp. a non-empty return from a rpm --verify
it's time to rebuild the machine. I'd suggest looking at up
grading to RH 7.1. It has turns on an ipchain firewall for you.
Regardless, turn off rpc.statd. Disable /etc/rc.d/init.d/nfslock.
If you really must run it, get the fixed version from www.redhat.com.
> Well, I do not now if what follows really is interesting; but it has
> consumed my time quite effectively. At one point it occurred to me
> that the damage might be due to a virus.
> I turn off my machine at the end of each day, and re-boot the next
> time I want to use it; I am using RedHat 6.2. Last evening I shut
> down, essentially normally; although I did notice that statd failed,
> whatever that means, and I was having some problem with communicating
> with my ISP immediately before shutting down.
> This morning I could not log in. The software came up properly to the
> point of the login prompt; but that was it; thereafter I could not log
> in as anybody; there are three accounts, including root, on my
> machine. I did not try booting from a floppy because the machine had
> I have a "spare" installation of Linux on another disc, so I was able
> to get going. I poked around looking for files that were altered
> yesterday; and, sure enough, /bin/login was dated Mar 19 and the ls
> entry looked different from that in the spare Linux. I copied over
> the spare, re-booted, and everything appears to be fine.
> Here is the original login entry (the .orig I added before doing the
> copy), I do not have user 500, nor group 500:
> -r-sr-xr-x 1 500 500 20452 Mar 19 22:43 login.orig*
> And here is the copied entry, that works; it is dated Mar 7 2000 in
> the spare Linux.
> -rwxr-xr-x 1 root root 20452 Mar 20 22:08 login*
> Any comments? What does the stat daemon do?
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG