From owner-freebsd-security  Mon Jun  4  8:14:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ct980320-b.blmngtn1.in.home.com (ct980320-b.blmngtn1.in.home.com [65.8.207.32])
	by hub.freebsd.org (Postfix) with ESMTP id 4557C37B405
	for <freebsd-security@freebsd.org>; Mon,  4 Jun 2001 08:14:22 -0700 (PDT)
	(envelope-from mikes@ct980320-b.blmngtn1.in.home.com)
Received: (from mikes@localhost)
	by ct980320-b.blmngtn1.in.home.com (8.11.3/8.11.3) id f54FEKL18615;
	Mon, 4 Jun 2001 10:14:20 -0500 (EST)
	(envelope-from mikes)
From: Mike Squires <mikes@ct980320-b.blmngtn1.in.home.com>
Message-Id: <200106041514.f54FEKL18615@ct980320-b.blmngtn1.in.home.com>
Subject: Re: rpc.statd attack before ipfw activated
In-Reply-To: <Pine.GSO.4.21L.0106040126530.3155-100000@unix1.cc.ksu.edu>
 "from Josh Thomas at Jun 4, 2001 01:30:42 am"
To: Josh Thomas <jdt2101@ksu.edu>
Date: Mon, 4 Jun 2001 10:14:20 -0500 (EST)
Cc: freebsd-security@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL88 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I think this is the LINUX Ramen/Lion/Adore worm in action.  The NOPs
are always preceded by a check for rpc.statd services.  snort will
detect these.

I use snortsnarf with snort; snortsnarf gives you Web lookups for the
attacks.

4.3-STABLE isn't vulnerable, as far as I know.

MLS

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message