From owner-freebsd-security Fri Apr 20 19: 2: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ct980320-b.blmngtn1.in.home.com (ct980320-b.blmngtn1.in.home.com [65.8.207.32]) by hub.freebsd.org (Postfix) with ESMTP id 8BCF837B423 for ; Fri, 20 Apr 2001 19:02:03 -0700 (PDT) (envelope-from mikes@ct980320-b.blmngtn1.in.home.com) Received: (from mikes@localhost) by ct980320-b.blmngtn1.in.home.com (8.11.3/8.11.3) id f3L21xf14241; Fri, 20 Apr 2001 21:01:59 -0500 (EST) (envelope-from mikes) From: Mike Squires Message-Id: <200104210201.f3L21xf14241@ct980320-b.blmngtn1.in.home.com> Subject: Re: rpc.statd attack In-Reply-To: <20010420143734.A79887@mooseriver.com> "from Josef Grosch at Apr 20, 2001 02:37:35 pm" To: jgrosch@mooseriver.com Date: Fri, 20 Apr 2001 21:01:59 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I saw a couple of these in my log files last night. I also would like to > find out what the IP of these bozos is. I'd like to let their ISP know that > these guys need to be spank pretty hard. I get them all the time; I assume they are varients of the Ramen attack. I use snort 1.7 to track the alleged incoming IP numbers; a few ISP's have reported back to me that in fact they found hacked LINUX boxes at the indicated address. (snort 1.7 from ports, plus snortsnarf from www.snort.org to put the logs into a quickly readable format). MLS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message