From owner-freebsd-questions Mon Dec 10 8:16:56 2001 Delivered-To: freebsd-questions@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 782DD37B405 for ; Mon, 10 Dec 2001 08:16:50 -0800 (PST) Received: from xena.gsicomp.on.ca ([199.243.149.34]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011210161644.ATP15512.tomts5-srv.bellnexxia.net@xena.gsicomp.on.ca>; Mon, 10 Dec 2001 11:16:44 -0500 Received: from localhost (matt@localhost) by xena.gsicomp.on.ca (8.11.1/8.11.1) with ESMTP id fBAG6uD01452; Mon, 10 Dec 2001 11:06:56 -0500 (EST) (envelope-from matt@xena.gsicomp.on.ca) Date: Mon, 10 Dec 2001 11:06:55 -0500 (EST) From: Matthew Emmerton Cc: jacks@sage-american.com, freebsd-questions@FreeBSD.ORG Subject: Re: Intruder attempts? In-Reply-To: <5.1.0.14.0.20011210014602.04020258@mail.enterit.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I wouldn't get too paranoid about this. What you're seeing is a Linux buffer overflow exploit being used against your machine, and FreeBSD has never been vulnerable to it. If you need NIS or NFS support on your box, look into using tcpwrappers or ipfw to restrict access to portmap services to systems just on your LAN. -- Matthew Emmerton || matt@gsicomp.on.ca GSI Computer Services || http://www.gsicomp.on.ca On Mon, 10 Dec 2001, Jim Conner wrote: > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: > >I've noticed this often on the console of the server and appears to be > >intruder attempts to login: This is just a snipet: > > > > > >server1.net kernel log messages: > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: > >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M-w > >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x% > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > > > > > This is a bad thing. This is somebody attempting to use a buffer olverflow > exploit against your rpc services. If you don't need them, I suggest you > turn portmap off. That means that if you don't want or need people > rsh'ing, rcp'ing, etc into your box, turn off portmap. > > - Jim > > > >Best regards, > >Jack L. Stone, > >Server Admin > > > >Sage-American > >http://www.sage-american.com > >jacks@sage-american.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > - Jim > > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ > Version: 0.01 Version: 3.12 > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message