HPE Community
Operating System - HP-UX
1833996 Members
2480 Online
110063 Solutions
New Discussion

Re: core file ../../../tmp/statd-vulnerable

 
Julian Parker
New Member

‎04-10-2003 01:31 AM

‎04-10-2003 01:31 AM

core file ../../../tmp/statd-vulnerable

A couple of days ago our system (HP-UX 10.01) started creating a core file at around 23:42 each night during backup which fills up / (111%).

When I use `strings core` there are thousands of entries of ../../../tmp/statd-vulnerable and some mention of rpc.statd. We only noticed this happening at the database does not restart in the morning until I remove the core file and restart the database manually.

I can't find any error messages anywhere else on the system (except temp files in /var/statmon/sm.bak with the same entry in it).

I don't want to jump to conclusions of a compromised system just yet but I do need to know what is happening.

Anyone ot any ideas?


JP
0 Kudos
Reply
5 REPLIES 5
Stefan Farrelly
Honored Contributor

‎04-10-2003 02:12 AM

‎04-10-2003 02:12 AM

Re: core file ../../../tmp/statd-vulnerable

Very interesting. First thing I would do is in / create a symbolic link for core pointing to /dev/null, this way next time it wont fill up /.

Have you identified which process has died creating the core file ? is it rpc.statd or is that process still running ? is it your backup program which is core dumping ?

I wouldnt think your system had been compromised, simply that due to a resource problem or a patch issue this is happening. Have you tried a reboot first to see if it is a resource problem ?
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-10-2003 02:29 AM

‎04-10-2003 02:29 AM

Re: core file ../../../tmp/statd-vulnerable

Hi,

This may not be called a root compromise.

It means that somebody has run a security scan against your server on rpcstatd .

Check for the file /tmp/statd-vulnerable if the file is existing then your rpc.statd is vulnerable allowing a hacker to create arbitrary files in your filesystem.

Carefully look for any odd files or entries in directories and config files to be on the safer side.

regards,

U.SivaKumar





Innovations are made when conventions are broken
0 Kudos
Reply
melvyn burnard
Honored Contributor

‎04-10-2003 02:33 AM

‎04-10-2003 02:33 AM

Re: core file ../../../tmp/statd-vulnerable

Welll my first comment is that HP-UX 10.01 is so old, you should start thinking of updating to at least 11.00
That said, do you have PHNE_17248 installed? if not, then I recommend this patch along with any dependencies.
You should also look at doing hte following steps:
1. Kill the rpc.statd/lockd.
2. Remove the /var/statmon/sm and sm.bak directories.
3. Re-start rpc.statd.
4. Re-start rpc.lockd.

HTH
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎04-10-2003 02:39 AM

‎04-10-2003 02:39 AM

Re: core file ../../../tmp/statd-vulnerable

This obviously won't do anything to help identify the real problem, but when was the last time your system was re-booted? If it was a long time ago, it might be a good idea to start with a clean slate. If it was recently, like right before this problem started, you need to look at what changed with that reboot (kernel paramters?).


Pete

Pete
0 Kudos
Reply
Julian Parker
New Member

‎04-10-2003 03:23 AM

‎04-10-2003 03:23 AM

Re: core file ../../../tmp/statd-vulnerable

Thanks for the quick answers chaps.

Stefan Farrelly:
The system is rebooted every night and the core file occurs when /usr is backed up. The backup does complete though.

U. SivaKumar:
I googled before posting here and found information about rpc vulns so when I saw the contents of the core file the /tmp file was the first thing I tried to find, however, it appears that HPUX is not vulnerable in this way but since there were no changes on the system (AFAIK). I have check the box thoroughly for hidden files/directories that are out of place and log files for any errors but there is nothing at all. It may be that someone in MIS scanned the network and this system got tagged somehow...Maybe I just won't ever find out!

melvyn:
I know 10.01 is really old but due to an application support issue I can see us being locked in until the hardware is replaced.

I will certainly install the patches and do a bit of tidying up!

I think it would also be a good idea to stop any unnecessary services, I think NFS is no longer required on this server.

I'll see what happens tomorrow morning.

Cheers

JP

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.