Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Oct 2000 00:32:22 -0700
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        =?iso-8859-1?Q?P=E4r_Thoren?= <t98pth@student.hk-r.se>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: rpc.statd
Message-ID:  <20001012003222.N25121@149.211.6.64.reflexcom.com>
In-Reply-To: <Pine.GSO.4.21.0010112337560.15640-100000@orc.rby.hk-r.se>; from t98pth@student.hk-r.se on Wed, Oct 11, 2000 at 11:46:08PM %2B0200
References:  <Pine.GSO.4.21.0010112337560.15640-100000@orc.rby.hk-r.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Oct 11, 2000 at 11:46:08PM +0200, Pär Thoren wrote:
> 
> Hi!
> 
> I got this today in my /var/log/messages
> 
> 
> Oct 11 23:28:43 z rpc.statd: invalid hostname to sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
> 
> 
> ..oh ..that´s a strange hostname.
> 
> Which exploit is it that the attacker tries to use? I guess I´m not
> vulnerable cause I´m still around ;)

Most likely someone tried a Linux exploit on you,

  http://www.securityfocus.com/vdb/bottom.html?vid=1480

> Also, where can I find the ip of the attacker? Is it logged? 

Not 100% on this, but I think that is only logged if you used the '-d'
option. See rpc.statd(8).
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001012003222.N25121>