From owner-freebsd-questions@FreeBSD.ORG Thu Oct 9 05:16:57 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D16F416A4BF for ; Thu, 9 Oct 2003 05:16:57 -0700 (PDT) Received: from remt19.cluster1.charter.net (remt19.cluster1.charter.net [209.225.8.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E1E043F93 for ; Thu, 9 Oct 2003 05:16:56 -0700 (PDT) (envelope-from chowse@charter.net) Received: from [66.168.145.25] (HELO moe) by remt19.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6) with ESMTP id 20693946; Thu, 09 Oct 2003 08:16:55 -0400 From: "Charles Howse" To: "'Kris Kennaway'" Date: Thu, 9 Oct 2003 07:16:45 -0500 Message-ID: <005d01c38e5f$36fbba10$04fea8c0@moe> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20031009105138.GC7709@rot13.obsecurity.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: freebsd-questions@freebsd.org Subject: RE: Unusual logcheck entry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2003 12:16:58 -0000 > On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote: > > The following appeared in /var/log/messages in my daily=20 > logcheck report: > >=20 > > Oct 8 20:38:47 curly rpc.statd: invalid hostname to sm_stat: > >=20 > ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185 > 9x%hnM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > >=20 > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > Oct 8 20:38:47 curly /kernel: -^PM-^PM-^P > >=20 > > At that time, I was sitting on the couch watching the Cubs play the > > Marlins. > > Any idea what this means? >=20 > This is an attempt to exploit an old Linux rpc.statd > vulnerability..see the mailing list archives for extensive discussion > a few years ago. OK, I got some good info from the archives. I realize this is a harmless attack if running FBSD. I also realize that I shouldn't be running rpc on an interface facing the internet. For various reasons, this server is outside my hardware firewall, and I'm not interested in configuring a software firewall. Correct me if I'm wrong, but it looks to me like rpc.statd is related (at least) to NFS. I've placed the line "nfs_server_flags=3D"-h 192.168.254.2" in my /etc/rc.conf, and rebooted. I've also edited /etc/ssh/sshd_config, and told it to listen only on 192.168.254.2, and not allow root logins. Am I now protected from this attack? (note rpc.stat lines below) [root@curly ~]# sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS charles sshd 194 4 tcp4 192.168.254.2:22 192.168.254.4:4341 root sshd 192 4 tcp4 192.168.254.2:22 192.168.254.4:4341 root nmbd 164 6 udp4 *:137 *:* root nmbd 164 7 udp4 *:138 *:* root nmbd 164 8 udp4 192.168.254.2:137 *:* root nmbd 164 9 udp4 192.168.254.2:138 *:* root smbd 162 12 tcp4 *:445 *:* root smbd 162 13 tcp4 *:139 *:* root sendmail 116 4 tcp4 127.0.0.1:25 *:* root sshd 113 3 tcp4 192.168.254.2:22 *:* root inetd 109 4 tcp4 *:21 *:* root inetd 109 5 tcp4 *:110 *:* root rpc.stat 95 3 udp4 *:1013 *:* root rpc.stat 95 4 tcp4 *:1022 *:* root mountd 87 3 udp4 *:1023 *:* root mountd 87 4 tcp4 *:1023 *:* daemon portmap 85 3 udp4 *:111 *:* daemon portmap 85 4 tcp4 *:111 *:* root syslogd 81 5 udp4 *:514 *:* [root@curly ~]# cat /etc/rc.conf # -- sysinstall generated deltas -- # Mon Sep 22 08:28:22 2003 # Created: Mon Sep 22 08:28:22 2003 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=3D"192.168.254.254" hostname=3D"curly.howse.no-ip.org" ifconfig_tx0=3D"inet 192.168.254.2 netmask 255.255.255.0" kern_securelevel_enable=3D"NO" moused_enable=3D"NO" moused_type=3D"NO" nfs_server_enable=3D"YES" nfs_server_flags=3D"-h 192.168.254.2" portmap_enable=3D"YES" mountd_flags=3D"-l" nfs_client_enable=3D"YES" saver=3D"daemon" sendmail_enable=3D"NO" sshd_enable=3D"YES" usbd_enable=3D"NO" ntpdate_enable=3D"YES" ntpdate_flags=3D"time.nist.gov" xntpdate_enable=3D"YES" syslogd_enable=3D"YES" syslog_flags=3D"-ss" clear_tmp_enable=3D"YES"