From owner-freebsd-questions Fri Sep 14 7:52: 7 2001 Delivered-To: freebsd-questions@freebsd.org Received: from c1828785-a.saltlk1.ut.home.com (c1828785-a.saltlk1.ut.home.com [24.20.97.231]) by hub.freebsd.org (Postfix) with ESMTP id 1654A37B40A for ; Fri, 14 Sep 2001 07:52:03 -0700 (PDT) Received: from there (mtuhkt@localhost [127.0.0.1]) by c1828785-a.saltlk1.ut.home.com (8.11.6/8.11.5) with SMTP id f8EEpfc29800; Fri, 14 Sep 2001 08:51:41 -0600 (MDT) (envelope-from mupi@mknet.org) Message-Id: <200109141451.f8EEpfc29800@c1828785-a.saltlk1.ut.home.com> Content-Type: text/plain; charset="iso-8859-1" From: Mike Porter To: "David DeTinne" , freebsd-questions@freebsd.org Subject: Re: Possible Attack Date: Fri, 14 Sep 2001 08:51:40 -0600 X-Mailer: KMail [version 1.3] References: <200109131755480608.0773527C@63.204.69.245> In-Reply-To: <200109131755480608.0773527C@63.204.69.245> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thursday 13 September 2001 06:55 pm, David DeTinne wrote: > Could someone explain why I continus to see > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- scroll across my screen? Is this what > the remote telnetd script does to the receiving machine? If you could CC a > reply to me, I would appreciate it. > > Thanks, > > David DeTinne This is a symptom of an rpc.statd linux attack. It probably says something like "rpc.statd: invalid hostanme to sm_stat: ^PM-^PM-^PM.... " for about six lines. As far as I understand, our version of rpc isn't vulnerable to this. I haven't (yet) figured out how to block this in ipf. Anyone have any pointers? mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message