[lug] Interesting Crash Report

Scott A. Herod herod at interact-tv.com
Tue Mar 20 17:51:07 MST 2001

Hi David,

I hate to say it, but rpc.statd is the backdoor of choice for
the generic RH 6.2 release.  Things to check;

rpm --verify `rpm --query -f \`which netstat\` ` 

Anything returned is BAD.

Also check, ls, ps, and lsof by replacing "netstat" above with the 
respective commands.

Also, look for funny things in /etc/rc.d/rc.local and rc.sysinit.

Also, as root, check the result of "lsof -i".  Suspicious
things are sshd's running on numerical ports, esp. anything higher
than 1024.

If anything is wrong, esp. a non-empty return from a rpm --verify
it's time to rebuild the machine.  I'd suggest looking at up
grading to RH 7.1.  It has turns on an ipchain firewall for you.

Regardless, turn off rpc.statd.  Disable /etc/rc.d/init.d/nfslock.
If you really must run it, get the fixed version from www.redhat.com.


David wrote:
> Well, I do not now if what follows really is interesting; but it has
> consumed my time quite effectively.  At one point it occurred to me
> that the damage might be due to a virus.
> I turn off my machine at the end of each day, and re-boot the next
> time I want to use it; I am using RedHat 6.2.  Last evening I shut
> down, essentially normally; although I did notice that statd failed,
> whatever that means, and I was having some problem with communicating
> with my ISP immediately before shutting down.
> This morning I could not log in.  The software came up properly to the
> point of the login prompt; but that was it; thereafter I could not log
> in as anybody; there are three accounts, including root, on my
> machine.  I did not try booting from a floppy because the machine had
> booted.
> I have a "spare" installation of Linux on another disc, so I was able
> to get going.  I poked around looking for files that were altered
> yesterday; and, sure enough, /bin/login was dated Mar 19 and the ls
> entry looked different from that in the spare Linux.  I copied over
> the spare, re-booted, and everything appears to be fine.
> Here is the original login entry (the .orig I added before doing the
> copy), I do not have user 500, nor group 500:
> -r-sr-xr-x   1 500      500         20452 Mar 19 22:43 login.orig*
> And here is the copied entry, that works; it is dated Mar 7 2000 in
> the spare Linux.
> -rwxr-xr-x   1 root     root        20452 Mar 20 22:08 login*
> Any comments?  What does the stat daemon do?
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list