From owner-freebsd-questions  Fri Sep 14 10:44:19 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from darkstar.umd.edu (darkstar.umd.edu [128.8.215.163])
	by hub.freebsd.org (Postfix) with ESMTP id 3318737B40A
	for <freebsd-questions@FreeBSD.ORG>; Fri, 14 Sep 2001 10:44:15 -0700 (PDT)
Received: from glue.umd.edu (localhost [127.0.0.1])
	by darkstar.umd.edu (8.11.6/8.11.4) with ESMTP id f8EHfIW02443;
	Fri, 14 Sep 2001 13:41:22 -0400 (EDT)
	(envelope-from bfoz@glue.umd.edu)
Message-ID: <3BA2413E.F952270E@glue.umd.edu>
Date: Fri, 14 Sep 2001 13:41:18 -0400
From: Brandon Fosdick <bfoz@glue.umd.edu>
X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Porter <mupi@mknet.org>
Cc: David DeTinne <David@DeTinne.com>, freebsd-questions@FreeBSD.ORG
Subject: Re: Possible Attack
References: <200109131755480608.0773527C@63.204.69.245> <200109141451.f8EEpfc29800@c1828785-a.saltlk1.ut.home.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Mike Porter wrote:
> This is a symptom of an rpc.statd linux attack.  It probably says something
> like "rpc.statd: invalid hostanme to sm_stat: ^PM-^PM-^PM.... " for about six
> lines.  As far as I understand, our version of rpc isn't vulnerable to this.
> I haven't (yet) figured out how to block this in ipf.  Anyone have any
> pointers?

I've been seeing this stuff in my logs for awhile too, but lately with a
twist...

> Sep 13 21:40:36 uav rpc.statd: invalid hostname to sm_stat:
^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hnM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-^P
>   syslogd: /dev/console: Interrupted system call



Is that last line something I should be worried about?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message