From owner-freebsd-questions Mon Dec 10 9:46:16 2001 Delivered-To: freebsd-questions@freebsd.org Received: from sage-american.com (sage-american.com [216.122.141.44]) by hub.freebsd.org (Postfix) with ESMTP id 4460E37B416 for ; Mon, 10 Dec 2001 09:46:12 -0800 (PST) Received: from SAGEONE (adsl-64-219-20-12.dsl.crchtx.swbell.net [64.219.20.12]) by sage-american.com (8.9.3/8.9.3) with SMTP id LAA28337; Mon, 10 Dec 2001 11:46:01 -0600 (CST) Message-Id: <3.0.5.32.20011210114601.01078190@mail.sage-american.com> X-Sender: jacks@mail.sage-american.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 10 Dec 2001 11:46:01 -0600 To: Matthew Emmerton From: jacks@sage-american.com Subject: Re: Intruder attempts? Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: References: <5.1.0.14.0.20011210014602.04020258@mail.enterit.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks for the feedback... figured it was an attack of sorts. At 11:06 AM 12.10.2001 -0500, Matthew Emmerton wrote: > >I wouldn't get too paranoid about this. What you're seeing is a Linux >buffer overflow exploit being used against your machine, and FreeBSD has >never been vulnerable to it. > >If you need NIS or NFS support on your box, look into using tcpwrappers or >ipfw to restrict access to portmap services to systems just on your LAN. > >-- >Matthew Emmerton || matt@gsicomp.on.ca >GSI Computer Services || http://www.gsicomp.on.ca > >On Mon, 10 Dec 2001, Jim Conner wrote: > >> At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: >> >I've noticed this often on the console of the server and appears to be >> >intruder attempts to login: This is just a snipet: >> > >> > >> >server1.net kernel log messages: >> > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: >> >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M-w >> >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x% >> >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P >> > >> > >> >> This is a bad thing. This is somebody attempting to use a buffer olverflow >> exploit against your rpc services. If you don't need them, I suggest you >> turn portmap off. That means that if you don't want or need people >> rsh'ing, rcp'ing, etc into your box, turn off portmap. >> >> - Jim >> >> >> >Best regards, >> >Jack L. Stone, >> >Server Admin >> > >> >Sage-American >> >http://www.sage-american.com >> >jacks@sage-american.com >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-questions" in the body of the message >> >> >> >> - Jim >> >> -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- >> http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 >> >> -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ >> Version: 0.01 Version: 3.12 >> P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >> >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ >> $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* >> +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE >> >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ >> >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) >> ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > Best regards, Jack L. Stone, Server Admin Sage-American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message