Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 9 Oct 2003 03:51:38 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Charles Howse <chowse@charter.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Unusual logcheck entry
Message-ID:  <20031009105138.GC7709@rot13.obsecurity.org>
In-Reply-To: <001c01c38e52$2ecdfd60$04fea8c0@moe>
References:  <001c01c38e52$2ecdfd60$04fea8c0@moe>
next in thread | previous in thread | raw e-mail | index | archive | help 

--8NvZYKFJsRX2Djef
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote:
> The following appeared in /var/log/messages in my daily logcheck report:
>=20
> Oct  8 20:38:47 curly rpc.statd: invalid hostname to sm_stat:
> ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hnM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
> Oct  8 20:38:47 curly /kernel: -^PM-^PM-^P
>=20
> At that time, I was sitting on the couch watching the Cubs play the
> Marlins.
> Any idea what this means?

This is an attempt to exploit an old Linux rpc.statd
vulnerability..see the mailing list archives for extensive discussion
a few years ago.

Kris

--8NvZYKFJsRX2Djef
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/hT25Wry0BWjoQKURAr75AKCuYkmp/tKn175g75BTrcFycJmn7wCfbIep
Wx4Hzv+kSBRaQp1r4SbZ//s=
=iWXO
-----END PGP SIGNATURE-----

--8NvZYKFJsRX2Djef--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031009105138.GC7709>