From owner-freebsd-security  Thu Mar  8  8: 9:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195])
	by hub.freebsd.org (Postfix) with ESMTP id 4ADAD37B719
	for <security@freebsd.org>; Thu,  8 Mar 2001 08:08:46 -0800 (PST)
	(envelope-from oldfart@gtonet.net)
Received: from pld (pld.gtonet.net [216.112.90.200])
	by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f28G8jm44054
	for <security@freebsd.org>; Thu, 8 Mar 2001 08:08:46 -0800 (PST)
	(envelope-from oldfart@gtonet.net)
Reply-To: <oldfart@gtonet.net>
From: "oldfart@gtonet" <oldfart@gtonet.net>
To: <security@freebsd.org>
Subject: RE: strange messages
Date: Thu, 8 Mar 2001 08:08:45 -0800
Message-ID: <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <20010308164406.A383@nebula.cybercable.fr>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> -----Original Message-----
> From: Maxime Henrion [mailto:mux@qualys.com]
> Sent: Thursday, March 08, 2001 7:44 AM
> To: security@freebsd.org
> Cc: oldfart@gtonet
> Subject: Re: strange messages
>
>
> oldfart@gtonet wrote:
> > > Linux script kiddie running a Linux rpc.statd exploit on your box that
> > > (surprise!) doesn't work on FreeBSD.  :-)
> >
> > No, I don't think so, because I get that error on my NFS server
> too and I
> > know who's on that box and what they're running (unless this is a remote
> > exploit)
> It *is* a remote exploit.
>
> Maxime

Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be
portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat
respectively, at my firewall. If this *is* indeed an attempted exploit I
*should* be dropping the packets and logging where it came from if it's not
spoofed. If I *do* end up with more of those errors then that should prove
it's *not* an exploit attempt, right?

Only time will tell,

OF


> --
> Don't be fooled by cheap finnish imitations ; BSD is the One True Code
> Key fingerprint = F9B6 1D5A 4963 331C 88FC  CA6A AB50 1EF2 8CBE 99D6
> Public Key : http://www.epita.fr/~henrio_m/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message