From owner-freebsd-stable Thu Oct 12 1: 2:50 2000 Delivered-To: freebsd-stable@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id BE9E337B503 for ; Thu, 12 Oct 2000 01:02:44 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13jdK6-0006P6-00; Thu, 12 Oct 2000 10:02:42 +0200 Date: Thu, 12 Oct 2000 10:02:41 +0200 (IST) From: Roman Shterenzon To: cjclark@alum.mit.edu Cc: freebsd-stable@freebsd.org Subject: Re: rpc.statd In-Reply-To: <20001012003222.N25121@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=koi8-r Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 12 Oct 2000, Crist J . Clark wrote: > > ..oh ..that=B4s a strange hostname. > >=20 > > Which exploit is it that the attacker tries to use? I guess I=B4m not > > vulnerable cause I=B4m still around ;) >=20 > Most likely someone tried a Linux exploit on you, >=20 > http://www.securityfocus.com/vdb/bottom.html?vid=3D1480 >=20 > > Also, where can I find the ip of the attacker? Is it logged?=20 >=20 > Not 100% on this, but I think that is only logged if you used the '-d' > option. See rpc.statd(8). Which makes me think... How one protects rpc services rather then having default-deny policy on outer interface? And if it's the only interface? Of course it's possible to filter port 111 (or use /etc/hosts.allow), but the attacker can contact the rpc.statd directly. Is it possible to force some rpc service to some port so it can be filtered? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message