From owner-freebsd-security  Thu Jan 25  9:42: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gifw.genroco.com (genroco.com [205.254.195.202])
	by hub.freebsd.org (Postfix) with ESMTP id 35AAE37B404
	for <freebsd-security@FreeBSD.ORG>; Thu, 25 Jan 2001 09:41:33 -0800 (PST)
Received: from gi2.genroco.com (IDENT:root@gi2.genroco.com [192.133.120.3])
	by gifw.genroco.com (8.9.3/8.9.3) with ESMTP id LAA04301;
	Thu, 25 Jan 2001 11:41:30 -0600
Received: from scot.genroco.com (scot.genroco.com [192.133.120.125])
	by gi2.genroco.com (8.9.3/8.9.3) with SMTP id LAA31473;
	Thu, 25 Jan 2001 11:41:19 -0600
Message-ID: <024b01c086f6$0cfda480$7d7885c0@genroco.com>
From: "Scot W. Hetzel" <hetzels@westbend.net>
To: "Steven G. Kargl" <kargl@troutmask.apl.washington.edu>,
	<freebsd-security@FreeBSD.ORG>
References: <200101251726.f0PHQei65827@troutmask.apl.washington.edu>
Subject: Re: buffer overflows in rpc.statd?
Date: Thu, 25 Jan 2001 11:41:16 -0600
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

From: "Steven G. Kargl" <kargl@troutmask.apl.washington.edu>
> Are there any known compromises of rpc.statd that involve
> buffer overflows?  I have several entries in /var/log/messages that
> look suspicious, but I currently don't know what these entries
> mean (see attachment).   The suspicious entries appear to be
> buffers that someone or something has tried to overflow.
>
I've been seeing the same thing on a FreeBSD 4.2-STABLE (Dec 23).

Anybody have an Ideal as to what this is?

Jan 25 03:27:48 spare rpc.statd: invalid hostname to sm_stat:
^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7
\x
ff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%
10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P

Scot



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message