From owner-freebsd-security  Thu Mar  8 10:45:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6])
	by hub.freebsd.org (Postfix) with ESMTP id BCFC137B718
	for <security@freebsd.org>; Thu,  8 Mar 2001 10:45:46 -0800 (PST)
	(envelope-from sjohn@airlinksys.com)
Received: from ns2.airlinksys.com (ns2.airlinksys.com [216.70.12.3])
	by mailhub.airlinksys.com (Postfix) with ESMTP id 3144353501
	for <security@freebsd.org>; Thu,  8 Mar 2001 12:45:37 -0600 (CST)
Received: by ns2.airlinksys.com (Postfix, from userid 1000)
	id BDEB65D8E; Thu,  8 Mar 2001 12:45:36 -0600 (CST)
Date: Thu, 8 Mar 2001 12:45:36 -0600
From: Scott Johnson <sjohn@airlinksys.com>
To: security@freebsd.org
Subject: Re: strange messages
Message-ID: <20010308124536.A23112@ns2.airlinksys.com>
Reply-To: Scott Johnson <sjohn@airlinksys.com>
Mail-Followup-To: security@freebsd.org
References: <20010308164406.A383@nebula.cybercable.fr> <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 08:08:45AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Quoth oldfart@gtonet on Thu, Mar 08, 2001 at 08:08:45AM -0800:
> 
> Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be
> portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat
> respectively, at my firewall. If this *is* indeed an attempted exploit I
> *should* be dropping the packets and logging where it came from if it's not
> spoofed. If I *do* end up with more of those errors then that should prove
> it's *not* an exploit attempt, right?

RPC ports are dynamically assigned, and portmapper (rpcbind) is the
process that gives out the addresses for rpc services. So blocking the
port used today won't work, since it may be different the next time the
process starts.  Which goes to show: You should be denying everything by
default at your firewall, and allowing only what you need. What if the
attempt (assuming this was a remote exploit attempt) was successful? You'd
be a day late.

-- 
                                 Scott Johnson
                          System/Network Administrator
                                Airlink Systems

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message