From owner-freebsd-questions  Thu Mar 29 19:36:13 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from smtp.atl.mediaone.net (atlasmtp.atl.mediaone.net [65.32.2.34])
	by hub.freebsd.org (Postfix) with ESMTP id BAD4037B71D
	for <freebsd-questions@FreeBSD.ORG>; Thu, 29 Mar 2001 19:36:09 -0800 (PST)
	(envelope-from smnoldelinux@mediaone.net)
Received: from mediaone.net (rr-163-52-118.atl.mediaone.net [24.163.52.118])
	by smtp.atl.mediaone.net (8.8.7/8.8.7) with ESMTP id WAA01792;
	Thu, 29 Mar 2001 22:34:40 -0500 (EST)
Message-ID: <3AC3FECF.BF88BED4@mediaone.net>
Date: Thu, 29 Mar 2001 22:34:39 -0500
From: scott <smnoldelinux@mediaone.net>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RC i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Dan Delaney <Dionysos@Dionysia.org>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Freaky message in /var/log/messages
References: <Pine.BSF.4.21.0103292218120.489-100000@bakchos.dionysia.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

That is an attempt at a buffer overflow exploit.  Check your version of
rpc.statd (why is this listening to the external interface?) and compare
with any vulnerabilities at cert.org or securityfocus.com.

Do you really need to run that service?

- Scott

Dan Delaney wrote:
> 
> Hi all
> 
> Lately I've been getting this very bizarre message sent to the
> console and put in /var/log/messages. Here it is:
> 
> Mar 29 21:58:47 bakchos rpc.statd: invalid hostname to sm_stat:
> ^Xw^??^Xw^??^Yw^??^Yw^??^Zw^??^Zw^??^[w^??^[w^??%8x%8x%8x%8x%8x%
> 8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P
> 
> That's it. The whole thing in its glorious entirety! (All of that is
> actually on one line in the file.)
> 
> Anyone have any idea what the hell that's all about? :-)
> 
> Thanks a lot.
> -- Dan
> ________________________________________________________________________
>  Dionysos@Dionysia.org                                Daniel G. Delaney
>  www.Dionysia.org/~dionysos/
>  PGP Public Key: /~dionysos/pgp.html
> ------------------------------------------------------------------------
> A king's castle is his home.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

-- 
-----------
Scott Nolde
-----------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message