Date: Thu, 9 Oct 2003 14:35:05 +0100 From: Ceri Davies <setantae@submonkey.net> To: Charles Howse <chowse@charter.net> Cc: freebsd-questions@freebsd.org Subject: Re: Unusual logcheck entry Message-ID: <20031009133505.GD32124@submonkey.net> In-Reply-To: <005d01c38e5f$36fbba10$04fea8c0@moe> References: <20031009105138.GC7709@rot13.obsecurity.org> <005d01c38e5f$36fbba10$04fea8c0@moe>
next in thread | previous in thread | raw e-mail | index | archive | help
--LyciRD1jyfeSSjG0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 09, 2003 at 07:16:45AM -0500, Charles Howse wrote: > > On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote: > > > The following appeared in /var/log/messages in my daily=20 > > logcheck report: > > >=20 > > > Oct 8 20:38:47 curly rpc.statd: invalid hostname to sm_stat: > > >=20 > > ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185 > > 9x%hnM-^PM <snip> > > > At that time, I was sitting on the couch watching the Cubs play the > > > Marlins. > > > Any idea what this means? > >=20 > > This is an attempt to exploit an old Linux rpc.statd > > vulnerability..see the mailing list archives for extensive discussion > > a few years ago. >=20 > OK, I got some good info from the archives. > I realize this is a harmless attack if running FBSD. > I also realize that I shouldn't be running rpc on an interface facing > the internet. > For various reasons, this server is outside my hardware firewall, and > I'm not interested in configuring a software firewall. > Correct me if I'm wrong, but it looks to me like rpc.statd is related > (at least) to NFS. > I've placed the line "nfs_server_flags=3D"-h 192.168.254.2" in my > /etc/rc.conf, and rebooted. > I've also edited /etc/ssh/sshd_config, and told it to listen only on > 192.168.254.2, and not allow root logins. > Am I now protected from this attack? (note rpc.stat lines below) You were anyway; this never affected FreeBSD. However, I'd also add portmap_flags=3D"-h 192.168.254.2" to your rc.conf if I were you. I'd also reconsider the decision not to run a firewall. Ceri --=20 --LyciRD1jyfeSSjG0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/hWQIocfcwTS3JF8RAiH4AKC3Y30Joi6WSxExQeN3Y2IcFvyRsACdHsoG nRWoJHYJBC5O93iEQDX8TaE= =GEbC -----END PGP SIGNATURE----- --LyciRD1jyfeSSjG0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031009133505.GD32124>