Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Aug 2000 16:23:34 -0500 (CDT)
From:      David La Croix <dlacroix@cowpie.acm.vt.edu>
To:        freebsd-security@freebsd.org
Subject:   rpc.statd -- is someone trying to exploit a buffer overflow?
Message-ID:  <200008172123.RAA16515@cowpie.acm.vt.edu>
next in thread | raw e-mail | index | archive | help 

I manage a fileserver for my company, and it happens to be running 
FreeBSD 3.4-Stable (April 10) with NFS enabled:

I've noticed repeated messages of the form:
DATE maurice rpc.statd: invalid hostname to sm_stat: lots of binary crap.

The binary stuff takes on 2 values:

Aug  9 07:02:40 maurice rpc.statd: invalid hostname to sm_stat: ^Xw^??^Xw^??^Yw^
??^Yw^??^Zw^??^Zw^??^[w^??^[w^??%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%
192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P

and

Aug  9 17:22:50 maurice rpc.statd: Invalid hostname to sm_mon: ^Dw^??^Dw^??^Ew^?
?^Ew^??^Fw^??^Fw^??^Gw^??^Gw^??%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x
 %08x %08x %08x %08x %0242x%n%055x%n%012x%n%0192x%n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^PkK^      
v,^Cn ^M^(^CF   ^0^Cn ^M^.^CF ^CC ^Ck#  ^41@^Cn ^HF'^HF*^CF ^HF+        F80+,   
s^MN,^MV8M


all told, there have been a total of 49 entries like this in the log of 
this one server.  

Can ANYBODY explain what these messages mean?  Is it an attempt by someone
to exploit a buffer overflow via bad DNS?  Is someone (script kiddie)
trying to hack boxes all over the place that have a old rpc.statd?

Is there anything I should be concerned about?

(I am about to enable firewall code on the box in question to block access
to RPC and other stuff from outside the immediate lan.  Just a little tricky
doing this on a production box while people are working).



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008172123.RAA16515>