From owner-freebsd-security  Fri Apr 20 14:17:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obelix.rby.hk-r.se (obelix-140.rby.hk-r.se [194.47.140.4])
	by hub.freebsd.org (Postfix) with ESMTP id 948E437B43E
	for <freebsd-security@freebsd.org>; Fri, 20 Apr 2001 14:17:19 -0700 (PDT)
	(envelope-from t98pth@student.bth.se)
Received: from helios.kna.hk-r.se (helios [194.47.153.5])
	by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id f3KLHIM10330
	for <freebsd-security@freebsd.org>; Fri, 20 Apr 2001 23:17:18 +0200 (MEST)
Received: from localhost (t98pth@localhost)
	by helios.kna.hk-r.se (8.9.3+Sun/8.9.3) with ESMTP id XAA27510
	for <freebsd-security@freebsd.org>; Fri, 20 Apr 2001 23:17:55 +0200 (MEST)
X-Authentication-Warning: helios.kna.hk-r.se: t98pth owned process doing -bs
Date: Fri, 20 Apr 2001 23:17:55 +0200 (MEST)
From: =?ISO-8859-1?Q?P=E4r_Thoren?= <t98pth@student.bth.se>
X-Sender: t98pth@helios
To: freebsd-security@freebsd.org
Subject: rpc.statd attack
Message-ID: <Pine.GSO.4.21.0104202315040.27489-100000@helios>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Ok when I get portscanned...but these guys tries to exploit my ass.

Apr 20 23:09:05 z rpc.statd: invalid hostname to
sm_stat: ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF=
^[=F7=FF=BF^[=F7=FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%=
nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-=
^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM=
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P=
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^=
PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-=
^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM=
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P=
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^=
PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-=
^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM=
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P=
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P

I guess it=B4s the old linux rpc.statd epxloit. But how can I see what IP
did this? Does rpc.statd log this information by default?

/P=E4r



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message