Date: Thu, 25 Jan 2001 12:04:32 -0600 (CST) From: David La Croix <dlacroix@cowpie.acm.vt.edu> To: hetzels@westbend.net (Scot W. Hetzel) Cc: freebsd-security@FreeBSD.ORG Subject: Re: buffer overflows in rpc.statd? Message-ID: <200101251804.NAA00434@cowpie.acm.vt.edu> In-Reply-To: <026c01c086f6$c2c151e0$7d7885c0@genroco.com> from "Scot W. Hetzel" at "Jan 25, 1 11:46:33 am"
next in thread | previous in thread | raw e-mail | index | archive | help
I started seeing this kind of activity on my servers beginning around August. I don't specifically log the reports, but looking at the packet refused counters on my IPFW rules, they do continue. I don't know what the consensus is about adding logging of network details about this stuff to rpc.statd, but you can capture logs of any/all network activity you want by adding the "log" directive to a firewall rule. Not sure how much value those logs will be, since there's a significant amount of forged IP headers, source routing, etc espescially among 5kr1pt k1dd135. man ipfw. BTW... not that I know of any specific exploits for Rpc.* family servers, but I would recommend setting up firewall rules to prevent anyone you don't trust from accessing those services (or any other services you might be paranoid about). Even better, make sure your server and clients are behind a firewall that prevents source-routed/forged packets from the outside from spoofing as a part of your lan. > From: "Scot W. Hetzel" <hetzels@westbend.net> > > > > Anybody have an Ideal as to what this is? > > > > Jan 25 03:27:48 spare rpc.statd: invalid hostname to sm_stat: > > > ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7 > > \x > > Thanks, Chris for letting us know it's a linux exploit. > > Is there anyway that we can find the IP address of the script kiddie using > this exploit so we can inform their ISP. > > Thanks, > > Scot > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101251804.NAA00434>