Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Sep 2001 13:41:18 -0400
From:      Brandon Fosdick <bfoz@glue.umd.edu>
To:        Mike Porter <mupi@mknet.org>
Cc:        David DeTinne <David@DeTinne.com>, freebsd-questions@FreeBSD.ORG
Subject:   Re: Possible Attack
Message-ID:  <3BA2413E.F952270E@glue.umd.edu>
References:  <200109131755480608.0773527C@63.204.69.245> <200109141451.f8EEpfc29800@c1828785-a.saltlk1.ut.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Mike Porter wrote:
> This is a symptom of an rpc.statd linux attack.  It probably says something
> like "rpc.statd: invalid hostanme to sm_stat: ^PM-^PM-^PM.... " for about six
> lines.  As far as I understand, our version of rpc isn't vulnerable to this.
> I haven't (yet) figured out how to block this in ipf.  Anyone have any
> pointers?

I've been seeing this stuff in my logs for awhile too, but lately with a
twist...

> Sep 13 21:40:36 uav rpc.statd: invalid hostname to sm_stat:
^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hnM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^P
>   syslogd: /dev/console: Interrupted system call



Is that last line something I should be worried about?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BA2413E.F952270E>