Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 Dec 2001 00:42:34 -0500
From:      Jim Conner <jconner@enterit.com>
To:        jacks@sage-american.com
Cc:        "BSDJunk" <BSDJunk@bzerk.org>, <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Intruder attempts?
Message-ID:  <5.1.0.14.0.20011213004148.0300cea0@mail.enterit.com>
In-Reply-To: <3.0.5.32.20011211235118.01078190@mail.sage-american.com>
References:  <5.1.0.14.0.20011212003317.02b7d320@mail.enterit.com> <048101c18149$ca0363a0$0801a8c0@lan.1729.net> <5.1.0.14.0.20011210014602.04020258@mail.enterit.com>

next in thread | previous in thread | raw e-mail | index | archive | help
At 23:51 12.11.2001 -0600, jacks@sage-american.com wrote:
>If I turn off rpc_statd_enable, what does that do to the NFS server...???

Honestly, I do not know.  I have very little experience with NFS (as I have 
possibly already demonstrated :)  Perhaps someone else could help ya with 
this one. - Jim :)


>At 12:35 AM 12.12.2001 -0500, Jim Conner wrote:
> >At 08:10 12.10.2001 +0100, BSDJunk wrote:
> >
> >>Portmap has nothing to do with rsh or rcp. It is needed for NFS servers and
> >>for NIS e.g.
> >
> >Heh, I hate it when I say dumb ie wrong things. :)  Thank you for
> >correcting me.  However, I am still correct that this is an rpc.statd
> >exploit.  In /etc/rc.conf (/etc/defaults/rc.conf) find rpc_statd_enable and
> >make it equal to "NO".
> >
> >
> >>----- Original Message -----
> >>From: "Jim Conner" <jconner@enterit.com>
> >>To: <jacks@sage-american.com>
> >>Cc: <freebsd-questions@FreeBSD.ORG>
> >>Sent: Monday, December 10, 2001 7:46 AM
> >>Subject: Re: Intruder attempts?
> >>
> >>
> >> > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote:
> >> > >I've noticed this often on the console of the server and appears to be
> >> > >intruder attempts to login: This is just a snipet:
> >> > >
> >> > ><snip/>
> >> > >server1.net kernel log messages:
> >> > > > Dec  8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat:
> >> >
> >>
> >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M-
> >>w
> >> >
> >>
> >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x
> >>%
> >> > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
> >> > ></snip>
> >> > >
> >> >
> >> > This is a bad thing.  This is somebody attempting to use a buffer
> >>olverflow
> >> > exploit against your rpc services.  If you don't need them, I 
> suggest you
> >> > turn portmap off.  That means that if you don't want or need people
> >> > rsh'ing, rcp'ing, etc into your box, turn off portmap.
> >> >
> >> > - Jim
> >> >
> >> >
> >> > >Best regards,
> >> > >Jack L. Stone,
> >> > >Server Admin
> >> > >
> >> > >Sage-American
> >> > >http://www.sage-american.com
> >> > >jacks@sage-american.com
> >> > >
> >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >> > >with "unsubscribe freebsd-questions" in the body of the message
> >> >
> >> >
> >> >
> >> > - Jim
> >> >
> >> > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
> >> > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861
> >> >
> >> > -----BEGIN PERL GEEK CODE BLOCK-----      ------BEGIN GEEK CODE
> >>BLOCK------
> >> > Version: 0.01                             Version: 3.12
> >> > P++>*@$c?P6?R+++>++++@$M                  GIT/CM/J d++(--) s++:++ a-
> >> >  >++++$O!MA->++++E!> PU-->+++BD            C++++(+) UB++++$L++++$S++++$
> >> > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++   P++(+)>+++++ L+++(++++)>+++++$
> >>!E*
> >> > +PP+++>++++n-CO?PO!o >++++G               W++(+++) N+ o !K w--- 
> PS---(-)@
> >>PE
> >> >  >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+   Y+>+++ PGP t+(+++)>+++@ 
> 5- X++
> >>R@
> >> >  >*@$uS+>*@$uH+uo+w-@$m!                   tv+ b? DI-(+++) D+++(++)
> >>G(++++)
> >> > ------END PERL GEEK CODE BLOCK------      ------END GEEK CODE 
> BLOCK------
> >> >
> >> >
> >> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> >> > with "unsubscribe freebsd-questions" in the body of the message
> >> >
> >
> >
> >
> >- Jim
> >
> >-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
> >http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861
> >
> >-----BEGIN PERL GEEK CODE BLOCK-----      ------BEGIN GEEK CODE BLOCK------
> >Version: 0.01                             Version: 3.12
> >P++>*@$c?P6?R+++>++++@$M                  GIT/CM/J d++(--) s++:++ a-
> > >++++$O!MA->++++E!> PU-->+++BD            C++++(+) UB++++$L++++$S++++$
> >$C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++   P++(+)>+++++ L+++(++++)>+++++$ !E*
> >+PP+++>++++n-CO?PO!o >++++G               W++(+++) N+ o !K w--- PS---(-)@ PE
> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+   Y+>+++ PGP t+(+++)>+++@ 5- X++ R@
> > >*@$uS+>*@$uH+uo+w-@$m!                   tv+ b? DI-(+++) D+++(++) G(++++)
> >------END PERL GEEK CODE BLOCK------      ------END GEEK CODE BLOCK------
> >
> >
> >
>
>Best regards,
>Jack L. Stone,
>Server Admin
>
>Sage-American
>http://www.sage-american.com
>jacks@sage-american.com
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message



- Jim

-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861

-----BEGIN PERL GEEK CODE BLOCK-----      ------BEGIN GEEK CODE BLOCK------
Version: 0.01                             Version: 3.12
P++>*@$c?P6?R+++>++++@$M                  GIT/CM/J d++(--) s++:++ a-
 >++++$O!MA->++++E!> PU-->+++BD            C++++(+) UB++++$L++++$S++++$
$C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++   P++(+)>+++++ L+++(++++)>+++++$ !E*
+PP+++>++++n-CO?PO!o >++++G               W++(+++) N+ o !K w--- PS---(-)@ PE
 >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+   Y+>+++ PGP t+(+++)>+++@ 5- X++ R@
 >*@$uS+>*@$uH+uo+w-@$m!                   tv+ b? DI-(+++) D+++(++) G(++++)
------END PERL GEEK CODE BLOCK------      ------END GEEK CODE BLOCK------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011213004148.0300cea0>