From owner-freebsd-questions Wed Dec 12 21:18:54 2001 Delivered-To: freebsd-questions@freebsd.org Received: from Mail4.carolina.rr.com (fe4.southeast.rr.com [24.93.67.51]) by hub.freebsd.org (Postfix) with ESMTP id 4E73537B41F for ; Wed, 12 Dec 2001 21:18:40 -0800 (PST) Received: from snafu.enterit.com ([66.57.159.198]) by Mail4.carolina.rr.com with Microsoft SMTPSVC(5.5.1877.687.68); Thu, 13 Dec 2001 00:22:07 -0500 Message-Id: <5.1.0.14.0.20011213004148.0300cea0@mail.enterit.com> X-Sender: jconner@enterit.com@mail.enterit.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 13 Dec 2001 00:42:34 -0500 To: jacks@sage-american.com From: Jim Conner Subject: Re: Intruder attempts? Cc: "BSDJunk" , In-Reply-To: <3.0.5.32.20011211235118.01078190@mail.sage-american.com> References: <5.1.0.14.0.20011212003317.02b7d320@mail.enterit.com> <048101c18149$ca0363a0$0801a8c0@lan.1729.net> <5.1.0.14.0.20011210014602.04020258@mail.enterit.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 23:51 12.11.2001 -0600, jacks@sage-american.com wrote: >If I turn off rpc_statd_enable, what does that do to the NFS server...??? Honestly, I do not know. I have very little experience with NFS (as I have possibly already demonstrated :) Perhaps someone else could help ya with this one. - Jim :) >At 12:35 AM 12.12.2001 -0500, Jim Conner wrote: > >At 08:10 12.10.2001 +0100, BSDJunk wrote: > > > >>Portmap has nothing to do with rsh or rcp. It is needed for NFS servers and > >>for NIS e.g. > > > >Heh, I hate it when I say dumb ie wrong things. :) Thank you for > >correcting me. However, I am still correct that this is an rpc.statd > >exploit. In /etc/rc.conf (/etc/defaults/rc.conf) find rpc_statd_enable and > >make it equal to "NO". > > > > > >>----- Original Message ----- > >>From: "Jim Conner" > >>To: > >>Cc: > >>Sent: Monday, December 10, 2001 7:46 AM > >>Subject: Re: Intruder attempts? > >> > >> > >> > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: > >> > >I've noticed this often on the console of the server and appears to be > >> > >intruder attempts to login: This is just a snipet: > >> > > > >> > > > >> > >server1.net kernel log messages: > >> > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: > >> > > >> > >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M- > >>w > >> > > >> > >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x > >>% > >> > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > >> > > > >> > > > >> > > >> > This is a bad thing. This is somebody attempting to use a buffer > >>olverflow > >> > exploit against your rpc services. If you don't need them, I > suggest you > >> > turn portmap off. That means that if you don't want or need people > >> > rsh'ing, rcp'ing, etc into your box, turn off portmap. > >> > > >> > - Jim > >> > > >> > > >> > >Best regards, > >> > >Jack L. Stone, > >> > >Server Admin > >> > > > >> > >Sage-American > >> > >http://www.sage-american.com > >> > >jacks@sage-american.com > >> > > > >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > >with "unsubscribe freebsd-questions" in the body of the message > >> > > >> > > >> > > >> > - Jim > >> > > >> > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > >> > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > >> > > >> > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE > >>BLOCK------ > >> > Version: 0.01 Version: 3.12 > >> > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > >> > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > >> > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ > >>!E* > >> > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- > PS---(-)@ > >>PE > >> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ > 5- X++ > >>R@ > >> > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) > >>G(++++) > >> > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE > BLOCK------ > >> > > >> > > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > with "unsubscribe freebsd-questions" in the body of the message > >> > > > > > > > > >- Jim > > > >-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > >http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > > > >-----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ > >Version: 0.01 Version: 3.12 > >P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > >$C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* > >+PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE > > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ > > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) > >------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > > > > > > >Best regards, >Jack L. Stone, >Server Admin > >Sage-American >http://www.sage-american.com >jacks@sage-american.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message - Jim -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ Version: 0.01 Version: 3.12 P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message