From owner-freebsd-security Thu Jan 25 10: 6:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 2B26537B6A5 for ; Thu, 25 Jan 2001 10:06:14 -0800 (PST) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.9.3/8.9.3) id NAA00434; Thu, 25 Jan 2001 13:04:32 -0500 (EST) From: David La Croix Message-Id: <200101251804.NAA00434@cowpie.acm.vt.edu> Subject: Re: buffer overflows in rpc.statd? In-Reply-To: <026c01c086f6$c2c151e0$7d7885c0@genroco.com> from "Scot W. Hetzel" at "Jan 25, 1 11:46:33 am" To: hetzels@westbend.net (Scot W. Hetzel) Date: Thu, 25 Jan 2001 12:04:32 -0600 (CST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I started seeing this kind of activity on my servers beginning around August. I don't specifically log the reports, but looking at the packet refused counters on my IPFW rules, they do continue. I don't know what the consensus is about adding logging of network details about this stuff to rpc.statd, but you can capture logs of any/all network activity you want by adding the "log" directive to a firewall rule. Not sure how much value those logs will be, since there's a significant amount of forged IP headers, source routing, etc espescially among 5kr1pt k1dd135. man ipfw. BTW... not that I know of any specific exploits for Rpc.* family servers, but I would recommend setting up firewall rules to prevent anyone you don't trust from accessing those services (or any other services you might be paranoid about). Even better, make sure your server and clients are behind a firewall that prevents source-routed/forged packets from the outside from spoofing as a part of your lan. > From: "Scot W. Hetzel" > > > > Anybody have an Ideal as to what this is? > > > > Jan 25 03:27:48 spare rpc.statd: invalid hostname to sm_stat: > > > ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7 > > \x > > Thanks, Chris for letting us know it's a linux exploit. > > Is there anyway that we can find the IP address of the script kiddie using > this exploit so we can inform their ISP. > > Thanks, > > Scot > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message