From owner-freebsd-security Thu Aug 23 6:39:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from umc-mail01.missouri.edu (umc-mail01.missouri.edu [128.206.10.216]) by hub.freebsd.org (Postfix) with ESMTP id C9EF637B410 for ; Thu, 23 Aug 2001 06:39:33 -0700 (PDT) (envelope-from dooleyr@missouri.edu) Received: by umc-mail01.missouri.edu with Internet Mail Service (5.5.2653.19) id ; Thu, 23 Aug 2001 08:39:29 -0500 Message-ID: <44D2ED0AC0121146BF01366481060EBE01917F1D@umc-mail02.missouri.edu> From: "Dooley, Ryan" To: 'Mark Newton' , freebsd-security@freebsd.org Subject: RE: Attempts to overflow rpc.statd Date: Thu, 23 Aug 2001 08:39:25 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah, we're getting that as well. I'm not sure the kiddies are trying = with, but it's been popping up on console (and /var/log/messages) on a couple = of my machines. Cheers, Ryan -----Original Message----- From: Mark Newton [mailto:newton@atdot.dotat.org] Sent: Thursday, August 23, 2001 5:29 AM To: freebsd-security@freebsd.org Subject: Attempts to overflow rpc.statd I've been seeing these in syslog for the last week or so. Has anyone else run across them? It looks like a buffer overflow attempt on rpc.statd, but since there aren't any FreeBSD advisories about it I'm guessing that the script kiddies are hitting on it at random without necessarily knowing about what kind of architecture or OS they're trying to attack. Does it look familiar to anyone else? - mark Aug 23 19:16:36 foo rpc.statd: invalid hostname to sm_stat: ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF= =BF^[=F7=FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 37x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message