Date: Fri, 16 Feb 2001 16:43:18 +0200 From: Peter Pentchev <roam@orbitel.bg> To: Artem Koutchine <matrix@ipform.ru>, questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: rpc.statd attack Message-ID: <20010216164318.F474@ringworld.oblivion.bg> In-Reply-To: <20010216162407.D474@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Feb 16, 2001 at 04:24:07PM %2B0200 References: <004201c09823$1a423dc0$0c00a8c0@ipform.ru> <20010216162407.D474@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 16, 2001 at 04:24:07PM +0200, Peter Pentchev wrote:
> On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote:
> > Hi!
> >
> > I am regulary getting this:
> >
> [snip (unsuccessful, useless against fbsd) attack log]
> >
> > What port should i close or log to detect the connection? I am sure
> > this is a script
> > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log
> > it with ipfw and
> > kick that junkie butt. So, what port is it or as always with RPC it is
> > a tricky business?
>
> If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}'
> to be a tricky business, then yes, it is a tricky business ;)
Well, as people pointed out, I'm not awake yet :)
rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }'
..works just as well, or even better, with less false alarms and more
efficiency :)
G'luck,
Peter
--
I had to translate this sentence into English because I could not read the original Sanskrit.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010216164318.F474>