Site Navigation

Date:      Thu, 9 Oct 2003 07:16:45 -0500
From:      "Charles Howse" <chowse@charter.net>
To:        "'Kris Kennaway'" <kris@obsecurity.org>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: Unusual logcheck entry
Message-ID:  <005d01c38e5f$36fbba10$04fea8c0@moe>
In-Reply-To: <20031009105138.GC7709@rot13.obsecurity.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

> On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote:
> > The following appeared in /var/log/messages in my daily=20
> logcheck report:
> >=20
> > Oct  8 20:38:47 curly rpc.statd: invalid hostname to sm_stat:
> >=20
> ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185
> 9x%hnM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >=20
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
> > Oct  8 20:38:47 curly /kernel: -^PM-^PM-^P
> >=20
> > At that time, I was sitting on the couch watching the Cubs play the
> > Marlins.
> > Any idea what this means?
>=20
> This is an attempt to exploit an old Linux rpc.statd
> vulnerability..see the mailing list archives for extensive discussion
> a few years ago.

OK, I got some good info from the archives.
I realize this is a harmless attack if running FBSD.
I also realize that I shouldn't be running rpc on an interface facing
the internet.
For various reasons, this server is outside my hardware firewall, and
I'm not interested in configuring a software firewall.
Correct me if I'm wrong, but it looks to me like rpc.statd is related
(at least) to NFS.
I've placed the line "nfs_server_flags=3D"-h 192.168.254.2" in my
/etc/rc.conf, and rebooted.
I've also edited /etc/ssh/sshd_config, and told it to listen only on
192.168.254.2, and not allow root logins.
Am I now protected from this attack? (note rpc.stat lines below)

[root@curly ~]# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN
ADDRESS
charles  sshd       194    4 tcp4   192.168.254.2:22
192.168.254.4:4341
root     sshd       192    4 tcp4   192.168.254.2:22
192.168.254.4:4341
root     nmbd       164    6 udp4   *:137                 *:*
root     nmbd       164    7 udp4   *:138                 *:*
root     nmbd       164    8 udp4   192.168.254.2:137     *:*
root     nmbd       164    9 udp4   192.168.254.2:138     *:*
root     smbd       162   12 tcp4   *:445                 *:*
root     smbd       162   13 tcp4   *:139                 *:*
root     sendmail   116    4 tcp4   127.0.0.1:25          *:*
root     sshd       113    3 tcp4   192.168.254.2:22      *:*
root     inetd      109    4 tcp4   *:21                  *:*
root     inetd      109    5 tcp4   *:110                 *:*
root     rpc.stat    95    3 udp4   *:1013                *:*
root     rpc.stat    95    4 tcp4   *:1022                *:*
root     mountd      87    3 udp4   *:1023                *:*
root     mountd      87    4 tcp4   *:1023                *:*
daemon   portmap     85    3 udp4   *:111                 *:*
daemon   portmap     85    4 tcp4   *:111                 *:*
root     syslogd     81    5 udp4   *:514                 *:*

[root@curly ~]# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Mon Sep 22 08:28:22 2003
# Created: Mon Sep 22 08:28:22 2003
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter=3D"192.168.254.254"
hostname=3D"curly.howse.no-ip.org"
ifconfig_tx0=3D"inet 192.168.254.2  netmask 255.255.255.0"
kern_securelevel_enable=3D"NO"
moused_enable=3D"NO"
moused_type=3D"NO"
nfs_server_enable=3D"YES"
nfs_server_flags=3D"-h 192.168.254.2"
portmap_enable=3D"YES"
mountd_flags=3D"-l"
nfs_client_enable=3D"YES"
saver=3D"daemon"
sendmail_enable=3D"NO"
sshd_enable=3D"YES"
usbd_enable=3D"NO"
ntpdate_enable=3D"YES"
ntpdate_flags=3D"time.nist.gov"
xntpdate_enable=3D"YES"
syslogd_enable=3D"YES"
syslog_flags=3D"-ss"
clear_tmp_enable=3D"YES"

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005d01c38e5f$36fbba10$04fea8c0>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact