Date: Mon, 10 Dec 2001 11:06:55 -0500 (EST) From: Matthew Emmerton <matt@gsicomp.on.ca> Cc: jacks@sage-american.com, freebsd-questions@FreeBSD.ORG Subject: Re: Intruder attempts? Message-ID: <Pine.BSF.4.21.0112101105360.1436-100000@xena.gsicomp.on.ca> In-Reply-To: <5.1.0.14.0.20011210014602.04020258@mail.enterit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I wouldn't get too paranoid about this. What you're seeing is a Linux buffer overflow exploit being used against your machine, and FreeBSD has never been vulnerable to it. If you need NIS or NFS support on your box, look into using tcpwrappers or ipfw to restrict access to portmap services to systems just on your LAN. -- Matthew Emmerton || matt@gsicomp.on.ca GSI Computer Services || http://www.gsicomp.on.ca On Mon, 10 Dec 2001, Jim Conner wrote: > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: > >I've noticed this often on the console of the server and appears to be > >intruder attempts to login: This is just a snipet: > > > ><snip/> > >server1.net kernel log messages: > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: > >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M-w > >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x% > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > ></snip> > > > > This is a bad thing. This is somebody attempting to use a buffer olverflow > exploit against your rpc services. If you don't need them, I suggest you > turn portmap off. That means that if you don't want or need people > rsh'ing, rcp'ing, etc into your box, turn off portmap. > > - Jim > > > >Best regards, > >Jack L. Stone, > >Server Admin > > > >Sage-American > >http://www.sage-american.com > >jacks@sage-american.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > - Jim > > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ > Version: 0.01 Version: 3.12 > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112101105360.1436-100000>