Date: Thu, 8 Mar 2001 08:27:58 -0800 From: "oldfart@gtonet" <oldfart@gtonet.net> To: <freebsd-security@FreeBSD.ORG> Subject: RE: strange messages Message-ID: <BIEHKEFNHFMMJEKCDMLNEEBCCGAA.oldfart@gtonet.net> In-Reply-To: <20010308081740.B84970@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Well so far it's just been a few minutes and already the firewall caught an IP from .tw (210.68.55.97) port scanning 111, the entire class-C prolly. Man, my logs show *LOTS* of those errors, if those were all exploit attempts there's been a bunch of busy-little-linux-weenies(TM). Time will tell, OF > -----Original Message----- > From: Kris Kennaway [mailto:kris@obsecurity.org] > Sent: Thursday, March 08, 2001 8:18 AM > To: oldfart@gtonet > Cc: Will Andrews; Will Mitayai Keeso Rowe; freebsd-security@FreeBSD.ORG > Subject: Re: strange messages > > > On Thu, Mar 08, 2001 at 07:40:08AM -0800, oldfart@gtonet wrote: > > > > Linux script kiddie running a Linux rpc.statd exploit on your box that > > > (surprise!) doesn't work on FreeBSD. :-) > > > > > > > No, I don't think so, because I get that error on my NFS server > too and I > > know who's on that box and what they're running (unless this is a remote > > exploit) I can certainly block the port (#?) via my firewall but I don't > > think that's it. I think it's a problem that's been ignored and > written off > > as an attempted exploit on many boxes. > > No, it IS an inapplicable remote rpc.statd exploit which never applied > to FreeBSD. Notice all of the %x and %n operators in the string > they're sending; these are the signatures of a format string bug, > which the Linux rpc.statd suffered from, but which is different code > to what BSD uses and therefore not an applicable vulnerability, and > nothing more than an annoyance unless you have Linux systems you > haven't updated in a while. > > > Mar 6 18:26:19 mls rpc.statd: invalid hostname to sm_stat: > > > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8 > x%236x%n%1 > > > 37x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM- > > > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > M-^PM-^PM- > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BIEHKEFNHFMMJEKCDMLNEEBCCGAA.oldfart>