Date: Wed, 12 Dec 2001 00:35:18 -0500 From: Jim Conner <jconner@enterit.com> To: "BSDJunk" <BSDJunk@bzerk.org> Cc: <jacks@sage-american.com>, <freebsd-questions@FreeBSD.ORG> Subject: Re: Intruder attempts? Message-ID: <5.1.0.14.0.20011212003317.02b7d320@mail.enterit.com> In-Reply-To: <048101c18149$ca0363a0$0801a8c0@lan.1729.net> References: <5.1.0.14.0.20011210014602.04020258@mail.enterit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:10 12.10.2001 +0100, BSDJunk wrote: >Portmap has nothing to do with rsh or rcp. It is needed for NFS servers and >for NIS e.g. Heh, I hate it when I say dumb ie wrong things. :) Thank you for correcting me. However, I am still correct that this is an rpc.statd exploit. In /etc/rc.conf (/etc/defaults/rc.conf) find rpc_statd_enable and make it equal to "NO". >----- Original Message ----- >From: "Jim Conner" <jconner@enterit.com> >To: <jacks@sage-american.com> >Cc: <freebsd-questions@FreeBSD.ORG> >Sent: Monday, December 10, 2001 7:46 AM >Subject: Re: Intruder attempts? > > > > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: > > >I've noticed this often on the console of the server and appears to be > > >intruder attempts to login: This is just a snipet: > > > > > ><snip/> > > >server1.net kernel log messages: > > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: > > > >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M- >w > > > >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x >% > > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > ></snip> > > > > > > > This is a bad thing. This is somebody attempting to use a buffer >olverflow > > exploit against your rpc services. If you don't need them, I suggest you > > turn portmap off. That means that if you don't want or need people > > rsh'ing, rcp'ing, etc into your box, turn off portmap. > > > > - Jim > > > > > > >Best regards, > > >Jack L. Stone, > > >Server Admin > > > > > >Sage-American > > >http://www.sage-american.com > > >jacks@sage-american.com > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > - Jim > > > > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > > > > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE >BLOCK------ > > Version: 0.01 Version: 3.12 > > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ >!E* > > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ >PE > > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ >R@ > > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) >G(++++) > > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > - Jim -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ Version: 0.01 Version: 3.12 P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011212003317.02b7d320>