Date: Fri, 16 Feb 2001 15:03:44 GMT From: Cliff Sarginson <cliff@raggedclown.net> To: Peter Pentchev <roam@orbitel.bg>, Artem Koutchine <matrix@ipform.ru>, questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Efficiency [Was: Re: rpc.statd attack] Message-ID: <E14TmQC-0006Ip-00@post.mail.nl.demon.net>
next in thread | raw e-mail | index | archive | help
> On Fri, Feb 16, 2001 at 04:24:07PM +0200, Peter Pentchev wrote:
> > On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote:
> > > Hi!
> > >
> > > I am regulary getting this:
> > >
> > [snip (unsuccessful, useless against fbsd) attack log]
> > >
> > > What port should i close or log to detect the connection? I am sure
> > > this is a script
> > > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log
> > > it with ipfw and
> > > kick that junkie butt. So, what port is it or as always with RPC it is
> > > a tricky business?
> >
> > If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}'
> > to be a tricky business, then yes, it is a tricky business ;)
>
> Well, as people pointed out, I'm not awake yet :)
>
> rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }'
>
> ...works just as well, or even better, with less false alarms and more
> efficiency :)
>
As you can see makes all the difference :)
But this is under Solaris ...
$ time rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}'
32790
real 0m0.12s
user 0m0.04s
sys 0m0.07s
$ time rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }'
32790
real 0m0.11s
user 0m0.05s
sys 0m0.04s
Cliff
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E14TmQC-0006Ip-00>