Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 Feb 2001 16:43:18 +0200
From:      Peter Pentchev <roam@orbitel.bg>
To:        Artem Koutchine <matrix@ipform.ru>, questions@FreeBSD.ORG, security@FreeBSD.ORG
Subject:   Re: rpc.statd attack
Message-ID:  <20010216164318.F474@ringworld.oblivion.bg>
In-Reply-To: <20010216162407.D474@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Feb 16, 2001 at 04:24:07PM %2B0200
References:  <004201c09823$1a423dc0$0c00a8c0@ipform.ru> <20010216162407.D474@ringworld.oblivion.bg>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 16, 2001 at 04:24:07PM +0200, Peter Pentchev wrote:
> On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote:
> > Hi!
> > 
> > I am regulary getting this:
> > 
> [snip (unsuccessful, useless against fbsd) attack log]
> > 
> > What port should i close or log to detect the connection? I am sure
> > this is a script
> > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log
> > it with ipfw and
> > kick that junkie butt. So, what port is it or as always with RPC it is
> > a tricky business?
> 
> If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}'
> to be a tricky business, then yes, it is a tricky business ;)

Well, as people pointed out, I'm not awake yet :)

rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }'

..works just as well, or even better, with less false alarms and more
efficiency :)

G'luck,
Peter

-- 
I had to translate this sentence into English because I could not read the original Sanskrit.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010216164318.F474>