Date: Mon, 4 Jun 2001 13:05:53 +0200 From: Gino Thomas <ingram@vc-protect.net> To: freebsd-security@freebsd.org Subject: Re: rpc.statd attack before ipfw activated Message-ID: <E156sBF-0003my-00@mrvdom00.schlund.de>
next in thread | raw e-mail | index | archive | help
On Mon, 4 Jun 2001 01:30:42 -0500 (CDT), Josh Thomas <jdt2101@ksu.edu> wrote: >^X\xf7\xff\xbf^ > X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\ > xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n Seems to be a typical shellcode string. > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM -- cut -- I have seen this before, aren´t that "NOPS" (x90)? Or are that return adresses? A "typical" attackbuffer looks like this: nopnopnopnopshellcode/bin/shretretretretret it seems you you´ve been hit by an exploit which tries to get a remote shell. Do you have dumps of the arbitary packets? > And it cut off there. This is a home machine, and yes, I realize that a > firewall should have been running first, however, I didn't have time. I'm > a relative novice to rpc and nfs in general, so any clues would be > appreciated. Thanks, Take a look at snort, in my case it protects from many attacks like this (cause not many attackers are skilled enough to hack up the shellcode etc. to fool the ids). Also try to minimize services that run as root ore execute suid programms. my regards Gino Thomas System Security Assistant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E156sBF-0003my-00>