From owner-freebsd-security  Mon Jun  4  4: 6:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from moutvdom01.kundenserver.de (moutvdom01.kundenserver.de [195.20.224.200])
	by hub.freebsd.org (Postfix) with ESMTP id C346D37B401
	for <freebsd-security@freebsd.org>; Mon,  4 Jun 2001 04:06:32 -0700 (PDT)
	(envelope-from ingram@vc-protect.net)
Received: from [195.20.224.204] (helo=mrvdom00.schlund.de)
	by moutvdom01.kundenserver.de with esmtp (Exim 2.12 #2)
	id 156sBs-0003Q4-00
	for freebsd-security@freebsd.org; Mon, 4 Jun 2001 13:06:32 +0200
Received: from pd4b8927f.dip.t-dialin.net ([212.184.146.127] helo=server)
	by mrvdom00.schlund.de with smtp (Exim 2.12 #2)
	id 156sBF-0003my-00
	for freebsd-security@freebsd.org; Mon, 4 Jun 2001 13:05:53 +0200
From: Gino Thomas <ingram@vc-protect.net>
X-Mailer: Arrow 1.0.8 (X11; FreeBSD 4.3-RELEASE; i386)
To: freebsd-security@freebsd.org
Subject: Re: rpc.statd attack before ipfw activated
Message-Id: <E156sBF-0003my-00@mrvdom00.schlund.de>
Date: Mon, 4 Jun 2001 13:05:53 +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 4 Jun 2001 01:30:42 -0500 (CDT), Josh Thomas <jdt2101@ksu.edu> wrote:

>^X\xf7\xff\xbf^
> X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\
> xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n

Seems to be a typical shellcode string.

> ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
-- cut --

I have seen this before, aren´t that "NOPS" (x90)? Or are that return adresses?
A "typical" attackbuffer looks like this: nopnopnopnopshellcode/bin/shretretretretret
it seems you you´ve been hit by an exploit which tries to get a remote shell.

Do you have dumps of the arbitary packets? 


> And it cut off there.  This is a home machine, and yes, I realize that a
> firewall should have been running first, however, I didn't have time.  I'm
> a relative novice to rpc and nfs in general, so any clues would be
> appreciated.  Thanks,

Take a look at snort, in my case it protects from many attacks like this (cause
not many attackers are skilled enough to hack up the shellcode etc. to fool the ids). Also try 
to minimize services that run as root ore execute suid programms.

my regards

Gino Thomas
System Security Assistant

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message