From owner-freebsd-security  Mon Jun  4  0: 7:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 97D5C37B403
	for <freebsd-security@freebsd.org>; Mon,  4 Jun 2001 00:07:21 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 90736 invoked by uid 1000); 4 Jun 2001 07:06:15 -0000
Date: Mon, 4 Jun 2001 10:06:15 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Josh Thomas <jdt2101@ksu.edu>
Cc: freebsd-security@freebsd.org
Subject: Re: rpc.statd attack before ipfw activated
Message-ID: <20010604100615.B31878@ringworld.oblivion.bg>
Mail-Followup-To: Josh Thomas <jdt2101@ksu.edu>,
	freebsd-security@freebsd.org
References: <3B1A92C6.8030301@bsd.st> <Pine.GSO.4.21L.0106040126530.3155-100000@unix1.cc.ksu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.GSO.4.21L.0106040126530.3155-100000@unix1.cc.ksu.edu>; from jdt2101@ksu.edu on Mon, Jun 04, 2001 at 01:30:42AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Jun 04, 2001 at 01:30:42AM -0500, Josh Thomas wrote:
> I didn't set up ipfw for a couple of days in between setting up a small
> nfs server for an in-home lan, and I got this in my system log.  I realize
> that I should have set up ipfw before doing this now, but any ideas what
> just happened?  Here is the log:
> Jun  2 19:36:41 thatguys rpc.statd: invalid hostname to
> sm_stat: ^X\xf7\xff\xbf^
[snip]
> 
> And it cut off there.  This is a home machine, and yes, I realize that a
> firewall should have been running first, however, I didn't have time.  I'm
> a relative novice to rpc and nfs in general, so any clues would be
> appreciated.  Thanks,

There is no known vulnerability in recent FreeBSD rpc.statd(8).  However,
there *have* been known vulnerabilities in rpc.statd's of several other
OS's in relatively recent versions.  What you are seeing is someone
trying to exploit such a vulnerability, and failing, causing no harm
whatsoever to your system.

G'luck,
Peter

-- 
This sentence would be seven words long if it were six words shorter.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message