From owner-freebsd-security Thu Jan 25 14: 8: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 6869D37B401 for ; Thu, 25 Jan 2001 14:07:32 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.1/8.11.1) with ESMTP id f0PM7AH27295; Thu, 25 Jan 2001 17:07:10 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 25 Jan 2001 17:07:09 -0500 (EST) From: Matt Piechota To: "Steven G. Kargl" Cc: Subject: Re: buffer overflows in rpc.statd? In-Reply-To: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Jan 2001, Steven G. Kargl wrote: > Are there any known compromises of rpc.statd that involve > buffer overflows? I have several entries in /var/log/messages that > look suspicious, but I currently don't know what these entries > mean (see attachment). The suspicious entries appear to be > buffers that someone or something has tried to overflow. I just read a news iten (on www.theregister.co.uk) talking about the Ramen worm that affects Redhat 6.2 and 7.0. One of the exploits it uses is to overrun something in rpc.statd. The URL to the story is http://www.theregister.co.uk/content/6/16375.html, which has a link to the RedHat security advisories. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message