From owner-freebsd-security Thu Aug 17 18:51: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.129.65]) by hub.freebsd.org (Postfix) with ESMTP id CA11C37BB12 for ; Thu, 17 Aug 2000 18:50:39 -0700 (PDT) Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94A646E3351 for ; Thu, 17 Aug 2000 14:27:20 -0700 (PDT) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.9.3/8.9.3) id RAA16515 for freebsd-security@freebsd.org; Thu, 17 Aug 2000 17:23:34 -0400 (EDT) From: David La Croix Message-Id: <200008172123.RAA16515@cowpie.acm.vt.edu> Subject: rpc.statd -- is someone trying to exploit a buffer overflow? To: freebsd-security@freebsd.org Date: Thu, 17 Aug 2000 16:23:34 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I manage a fileserver for my company, and it happens to be running FreeBSD 3.4-Stable (April 10) with NFS enabled: I've noticed repeated messages of the form: DATE maurice rpc.statd: invalid hostname to sm_stat: lots of binary crap. The binary stuff takes on 2 values: Aug 9 07:02:40 maurice rpc.statd: invalid hostname to sm_stat: ^Xw^??^Xw^??^Yw^ ??^Yw^??^Zw^??^Zw^??^[w^??^[w^??%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n% 192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P and Aug 9 17:22:50 maurice rpc.statd: Invalid hostname to sm_mon: ^Dw^??^Dw^??^Ew^? ?^Ew^??^Fw^??^Fw^??^Gw^??^Gw^??%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055x%n%012x%n%0192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^ P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^PkK^ v,^Cn ^M^(^CF ^0^Cn ^M^.^CF ^CC ^Ck# ^41@^Cn ^HF'^HF*^CF ^HF+ F80+, s^MN,^MV8M all told, there have been a total of 49 entries like this in the log of this one server. Can ANYBODY explain what these messages mean? Is it an attempt by someone to exploit a buffer overflow via bad DNS? Is someone (script kiddie) trying to hack boxes all over the place that have a old rpc.statd? Is there anything I should be concerned about? (I am about to enable firewall code on the box in question to block access to RPC and other stuff from outside the immediate lan. Just a little tricky doing this on a production box while people are working). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message