From owner-freebsd-questions Sun Dec 9 23:11:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by hub.freebsd.org (Postfix) with ESMTP id 6B39637B416 for ; Sun, 9 Dec 2001 23:11:03 -0800 (PST) Received: from arnold (marvin.1729.net [192.168.179.30]) by ei.bzerk.org (8.11.6/8.11.6) with SMTP id fBA7Aji03036; Mon, 10 Dec 2001 08:10:46 +0100 (CET) (envelope-from BSDJunk@bzerk.org) Message-ID: <048101c18149$ca0363a0$0801a8c0@lan.1729.net> From: "BSDJunk" To: , "Jim Conner" Cc: References: <5.1.0.14.0.20011210014602.04020258@mail.enterit.com> Subject: Re: Intruder attempts? Date: Mon, 10 Dec 2001 08:10:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Portmap has nothing to do with rsh or rcp. It is needed for NFS servers and for NIS e.g. ----- Original Message ----- From: "Jim Conner" To: Cc: Sent: Monday, December 10, 2001 7:46 AM Subject: Re: Intruder attempts? > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: > >I've noticed this often on the console of the server and appears to be > >intruder attempts to login: This is just a snipet: > > > > > >server1.net kernel log messages: > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: > >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M- w > >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x % > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > > > > > This is a bad thing. This is somebody attempting to use a buffer olverflow > exploit against your rpc services. If you don't need them, I suggest you > turn portmap off. That means that if you don't want or need people > rsh'ing, rcp'ing, etc into your box, turn off portmap. > > - Jim > > > >Best regards, > >Jack L. Stone, > >Server Admin > > > >Sage-American > >http://www.sage-american.com > >jacks@sage-american.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > - Jim > > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ > Version: 0.01 Version: 3.12 > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message