From owner-freebsd-security Thu Mar 8 8:28: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 6A59D37B719 for ; Thu, 8 Mar 2001 08:27:59 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f28GRwm44153 for ; Thu, 8 Mar 2001 08:27:59 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: Subject: RE: strange messages Date: Thu, 8 Mar 2001 08:27:58 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010308081740.B84970@mollari.cthul.hu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well so far it's just been a few minutes and already the firewall caught an IP from .tw (210.68.55.97) port scanning 111, the entire class-C prolly. Man, my logs show *LOTS* of those errors, if those were all exploit attempts there's been a bunch of busy-little-linux-weenies(TM). Time will tell, OF > -----Original Message----- > From: Kris Kennaway [mailto:kris@obsecurity.org] > Sent: Thursday, March 08, 2001 8:18 AM > To: oldfart@gtonet > Cc: Will Andrews; Will Mitayai Keeso Rowe; freebsd-security@FreeBSD.ORG > Subject: Re: strange messages > > > On Thu, Mar 08, 2001 at 07:40:08AM -0800, oldfart@gtonet wrote: > > > > Linux script kiddie running a Linux rpc.statd exploit on your box that > > > (surprise!) doesn't work on FreeBSD. :-) > > > > > > > No, I don't think so, because I get that error on my NFS server > too and I > > know who's on that box and what they're running (unless this is a remote > > exploit) I can certainly block the port (#?) via my firewall but I don't > > think that's it. I think it's a problem that's been ignored and > written off > > as an attempted exploit on many boxes. > > No, it IS an inapplicable remote rpc.statd exploit which never applied > to FreeBSD. Notice all of the %x and %n operators in the string > they're sending; these are the signatures of a format string bug, > which the Linux rpc.statd suffered from, but which is different code > to what BSD uses and therefore not an applicable vulnerability, and > nothing more than an annoyance unless you have Linux systems you > haven't updated in a while. > > > Mar 6 18:26:19 mls rpc.statd: invalid hostname to sm_stat: > > > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8 > x%236x%n%1 > > > 37x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM- > > > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM- > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message