From owner-freebsd-stable Wed Sep 20 7:36:10 2000 Delivered-To: freebsd-stable@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 4DA5937B42C for ; Wed, 20 Sep 2000 07:36:08 -0700 (PDT) Received: from pir by moek.pir.net with local (Exim) id 13bkyd-0001ww-00 for stable@freebsd.org; Wed, 20 Sep 2000 10:35:59 -0400 Date: Wed, 20 Sep 2000 10:35:59 -0400 From: Peter Radcliffe To: stable@freebsd.org Subject: Re: Odd log entries...an attempted breakin? Message-ID: <20000920103558.A7164@pir.net> Reply-To: freebsd-stable@freebsd.org Mail-Followup-To: stable@freebsd.org References: <39C8C50C.CA929D8C@glue.umd.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39C8C50C.CA929D8C@glue.umd.edu>; from bfoz@glue.umd.edu on Wed, Sep 20, 2000 at 10:09:16AM -0400 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Brandon Fosdick probably said: > For the last week or so I've been seeing the following entries in > /var/log/messages: > 128.8.38.27 is the address of my machine and I disabled ftpd on the > 15th. So far I've just been watching to see what happens since this > machine doesn't have anything important on it, but last night I started > seeing the same kinds of entries on another machine here, both of which > are 4.1-S. Are these normal log entries or is someone playing with my > systems? What do I do about it? the statd lines are certainly signs of an attack. Personally, I don't like having a machine on generally available IPs with nfsd/statd/rpcbind/etc reachable. I'd suggest ipfilter or ipfw filtering them ... P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message