Date: Thu, 21 Sep 2000 11:57:07 -0400 (EDT) From: mi@aldan.algebra.com To: Brandon Fosdick <bfoz@glue.umd.edu> Cc: stable@FreeBSD.ORG Subject: Re: Odd log entries...an attempted breakin? Message-ID: <200009211557.LAA50149@misha.privatelabs.com> In-Reply-To: <39C8C50C.CA929D8C@glue.umd.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, this does look suspiciously like an attempt to explore the vulnerabilities described in: http://www.cert.org/incident_notes/IN-2000-10.html (both -- statd and ftpd). I'd contact the administrators of the ISPs where this is coming from to get the kiddie chained to a shovel for this nonsense. -mi P.S. This sort of questions should, probably, be directed to -security... = For the last week or so I've been seeing the following entries in = /var/log/messages: = = Sep 10 23:07:41 nbf-27 ftpd[592]: ANONYMOUS FTP LOGIN REFUSED FROM = p3EE06D80.dip.t-dialin.net = Sep 11 05:12:00 nbf-27 ftpd[1141]: ANONYMOUS FTP LOGIN REFUSED FROM = 128.249.222.208 = Sep 13 12:21:29 nbf-27 ftpd[2051]: ANONYMOUS FTP LOGIN REFUSED FROM = ip58.stamford22.ct.pub-ip.psi.net = Sep 14 20:17:23 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 14 20:17:35 nbf-27 last message repeated 4 times = Sep 15 10:51:48 nbf-27 rpc.statd: invalid hostname to sm_stat: = ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137 = Sep 15 14:50:14 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 15 14:50:48 nbf-27 last message repeated 8 times = Sep 15 14:50:58 nbf-27 last message repeated 3 times = Sep 15 19:04:43 nbf-27 ftpd[2384]: ANONYMOUS FTP LOGIN REFUSED FROM = e16004.upc-e.chello.nl = Sep 16 17:04:51 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 16 17:05:12 nbf-27 last message repeated 7 times = Sep 16 17:06:04 nbf-27 last message repeated 7 times = Sep 16 17:29:03 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 16 17:29:31 nbf-27 last message repeated 3 times = Sep 17 01:17:11 nbf-27 rpc.statd: Invalid hostname to sm_mon: = ^D÷ÿ¿^D÷ÿ¿^E÷ÿ¿^E÷ÿ¿^F÷ÿ¿^F÷ÿ¿^G÷ÿ¿^G÷ÿ¿%08x %08x %08x %08x %08x %08x = %08x %08x = Sep 17 16:46:26 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 17 16:46:47 nbf-27 last message repeated 9 times = Sep 17 16:53:01 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 17 17:01:33 nbf-27 last message repeated 17 times = Sep 17 17:07:11 nbf-27 last message repeated 19 times = Sep 17 17:36:13 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 17 17:39:37 nbf-27 last message repeated 38 times = Sep 17 19:12:58 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 17 19:13:03 nbf-27 last message repeated 3 times = Sep 18 18:12:53 nbf-27 mountd[119]: umountall request from 128.8.38.27 = from unprivileged port = Sep 18 18:13:24 nbf-27 last message repeated 5 times = Sep 18 18:13:28 nbf-27 last message repeated 2 times = Sep 20 04:26:11 nbf-27 rpc.statd: invalid hostname to sm_stat: = ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137 = Sep 20 04:27:02 nbf-27 rpc.statd: invalid hostname to sm_stat: = ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137 = = = 128.8.38.27 is the address of my machine and I disabled ftpd on the = 15th. So far I've just been watching to see what happens since this = machine doesn't have anything important on it, but last night I started = seeing the same kinds of entries on another machine here, both of which = are 4.1-S. Are these normal log entries or is someone playing with my = systems? What do I do about it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009211557.LAA50149>