From owner-freebsd-security  Thu Jan 25 10:10:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from h-209-91-79-2.gen.cadvision.com (h-209-91-79-2.gen.cadvision.com [209.91.79.2])
	by hub.freebsd.org (Postfix) with ESMTP id A443237B6A5
	for <freebsd-security@freebsd.org>; Thu, 25 Jan 2001 10:10:38 -0800 (PST)
Received: from cirp.org (localhost [127.0.0.1])
	by h-209-91-79-2.gen.cadvision.com (8.9.3/8.9.3) with ESMTP id LAA04410
	for <freebsd-security@freebsd.org>; Thu, 25 Jan 2001 11:10:26 -0700 (MST)
	(envelope-from gtf@cirp.org)
Message-Id: <200101251810.LAA04410@h-209-91-79-2.gen.cadvision.com>
Date: Thu, 25 Jan 2001 11:10:25 -0700 (MST)
From: "Geoffrey T. Falk" <gtf@cirp.org>
Subject: rpc.statd bloat
To: freebsd-security@freebsd.org
In-Reply-To: <200101251726.f0PHQei65827@troutmask.apl.washington.edu>
MIME-Version: 1.0
Content-Type: TEXT/plain; CHARSET=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In a related note: Is it normal for rpc.statd to bloat? rpc.statd on
boojum, my 4.0-RELEASE box, recently experienced a VSIZE > 274000.

This box is an NFS server, but I don't think my NFS client (NEXTSTEP 
3.2) is using rpc.statd, because it runs just fine without it.

Thanks
g.


On 25 Jan, Steven G. Kargl wrote:
> Are there any known compromises of rpc.statd that involve
> buffer overflows?  I have several entries in /var/log/messages that
> look suspicious, but I currently don't know what these entries
> mean (see attachment).   The suspicious entries appear to be
> buffers that someone or something has tried to overflow.
> 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message