From owner-freebsd-security Thu Aug 23 7: 0:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from sens.com.au (sens.com.au [210.215.28.71]) by hub.freebsd.org (Postfix) with ESMTP id 2FD5B37B40E for ; Thu, 23 Aug 2001 07:00:26 -0700 (PDT) (envelope-from sens@sens.com.au) Received: from sens.com.au (feral.sens.com.au [192.168.1.8]) by sens.com.au (Postfix) with ESMTP id 1AEC75EB2; Thu, 23 Aug 2001 23:15:50 +0930 (CST) Message-ID: <3B850D3E.4DF406B3@sens.com.au> Date: Thu, 23 Aug 2001 23:33:42 +0930 From: Phil Pittard Organization: South East Network Solutions X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Mark Newton Cc: freebsd-security@freebsd.org Subject: Re: Attempts to overflow rpc.statd References: <20010823195855.A77982@atdot.dotat.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There was a Linux rpc.statd attack I saw last year which looked like this.... I just did some hunting & found some refs to it at this url: http://www.havelmark.com/~rmartin/31337.html theres a link there to RedHat with the patch... no idea what effect, if any, it would have on FreeBSD.... my guess would be none. Phil. ==== Mark Newton wrote: > > I've been seeing these in syslog for the last week or so. Has anyone > else run across them? > > It looks like a buffer overflow attempt on rpc.statd, but since there > aren't any FreeBSD advisories about it I'm guessing that the script > kiddies are hitting on it at random without necessarily knowing about > what kind of architecture or OS they're trying to attack. > > Does it look familiar to anyone else? > > - mark > > Aug 23 19:16:36 foo rpc.statd: invalid hostname to sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > -------------------------------------------------------------------- > I tried an internal modem, newton@atdot.dotat.org > but it hurt when I walked. Mark Newton > ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Phil Pittard IT Consultant SENS/SECNET http://www.sens.com.au http://www.itsupport4schools.com ================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message