Date: Thu, 12 Oct 2000 10:02:41 +0200 (IST) From: Roman Shterenzon <roman@xpert.com> To: cjclark@alum.mit.edu Cc: freebsd-stable@freebsd.org Subject: Re: rpc.statd Message-ID: <Pine.LNX.4.10.10010120959030.24589-100000@jamus.xpert.com> In-Reply-To: <20001012003222.N25121@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 12 Oct 2000, Crist J . Clark wrote: > > ..oh ..that=B4s a strange hostname. > >=20 > > Which exploit is it that the attacker tries to use? I guess I=B4m not > > vulnerable cause I=B4m still around ;) >=20 > Most likely someone tried a Linux exploit on you, >=20 > http://www.securityfocus.com/vdb/bottom.html?vid=3D1480 >=20 > > Also, where can I find the ip of the attacker? Is it logged?=20 >=20 > Not 100% on this, but I think that is only logged if you used the '-d' > option. See rpc.statd(8). Which makes me think... How one protects rpc services rather then having default-deny policy on outer interface? And if it's the only interface? Of course it's possible to filter port 111 (or use /etc/hosts.allow), but the attacker can contact the rpc.statd directly. Is it possible to force some rpc service to some port so it can be filtered? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.10010120959030.24589-100000>