Date: Wed, 20 Sep 2000 20:00:01 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Kent Stewart <kstewart@urx.com> Cc: Brandon Fosdick <bfoz@glue.umd.edu>, stable@FreeBSD.ORG Subject: Re: Odd log entries...an attempted breakin? Message-ID: <Pine.BSF.4.21.0009201958280.17718-100000@freefall.freebsd.org> In-Reply-To: <39C974F9.210D0F41@urx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 20 Sep 2000, Kent Stewart wrote:
>=20
>=20
> Kris Kennaway wrote:
> >=20
> > On Wed, Sep 20, 2000 at 10:09:16AM -0400, Brandon Fosdick wrote:
> > > For the last week or so I've been seeing the following entries in
> > > /var/log/messages:
> > >
> > > Sep 17 01:17:11 nbf-27 rpc.statd: Invalid hostname to sm_mon:
> > > ^D=F7=FF=BF^D=F7=FF=BF^E=F7=FF=BF^E=F7=FF=BF^F=F7=FF=BF^F=F7=FF=BF^G=
=F7=FF=BF^G=F7=FF=BF%08x %08x %08x %08x %08x %08x
> > > %08x %08x
> >=20
> > Someone is trying to exploit a root hole in the Linux rpc.statd.
> > ou don't have anything to worry about running FreeBSD here :-)
>=20
> Is that what the Tribal Flood people are doing or is this something
> different?
Sort of. There's a distributed denial-of-service client doing the rounds
which uses the rpc.statd exploit as an entrance vector to install itself,
since it's so common and commonly unpatched.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009201958280.17718-100000>