From owner-freebsd-stable Wed Sep 20 20: 0: 6 2000 Delivered-To: freebsd-stable@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 94C7037B42C; Wed, 20 Sep 2000 20:00:01 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA18015; Wed, 20 Sep 2000 20:00:01 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 20 Sep 2000 20:00:01 -0700 (PDT) From: Kris Kennaway To: Kent Stewart Cc: Brandon Fosdick , stable@FreeBSD.ORG Subject: Re: Odd log entries...an attempted breakin? In-Reply-To: <39C974F9.210D0F41@urx.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 20 Sep 2000, Kent Stewart wrote: >=20 >=20 > Kris Kennaway wrote: > >=20 > > On Wed, Sep 20, 2000 at 10:09:16AM -0400, Brandon Fosdick wrote: > > > For the last week or so I've been seeing the following entries in > > > /var/log/messages: > > > > > > Sep 17 01:17:11 nbf-27 rpc.statd: Invalid hostname to sm_mon: > > > ^D=F7=FF=BF^D=F7=FF=BF^E=F7=FF=BF^E=F7=FF=BF^F=F7=FF=BF^F=F7=FF=BF^G= =F7=FF=BF^G=F7=FF=BF%08x %08x %08x %08x %08x %08x > > > %08x %08x > >=20 > > Someone is trying to exploit a root hole in the Linux rpc.statd. > > ou don't have anything to worry about running FreeBSD here :-) >=20 > Is that what the Tribal Flood people are doing or is this something > different? Sort of. There's a distributed denial-of-service client doing the rounds which uses the rpc.statd exploit as an entrance vector to install itself, since it's so common and commonly unpatched. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message