Date: Mon, 23 Apr 2001 10:33:36 -0800 From: Beech Rintoul <akbeech@anchoragerescue.org> To: "Nathan Vidican" <webmaster@wmptl.com>, questions@freebsd.org Subject: Re: Continously getting error 'rpc.statd: invalid hostname to sm_stat: ...' could it be a DOS attack? Message-ID: <01042310333602.01587@galaxy.anchoragerescue.org> In-Reply-To: <01042310270701.01587@galaxy.anchoragerescue.org> References: <200104231831.OAA47437@mail2.wmptl.com> <01042310270701.01587@galaxy.anchoragerescue.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 23 April 2001 10:27, Beech Rintoul wrote:
> On Monday 23 April 2001 10:31, Nathan Vidican wrote:
> > We have been, (for several weeks now), been getting the error message
> > (logged to both the console, and /var/log/messages) as follows:
> >
> > Apr 17 11:43:35 home rpc.statd: invalid hostname to sm_stat: ^X\xf7
> > \xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7
> > \xff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%
> > 137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM
> > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-
> > ^PM-^PM-^PM-^PM-^PM-^PM-^P
> >
> > What does this error mean? What is causing it? How can we fix it? It
> > seems to be happening on several machines, all running various
> > snapshots of 4.2-STABLE, but this is the only machine it seems to be
> > hindering performance on.
> > The machine seems to unexplicably loose network connectivity to our
> > LAN; no error(s), valid link on the switch, but no ping/net traffic in
> > or out. We have since Friday replaced the NIC which looses connectivity
> > assuming perhaps it was a faulty NIC, (or due to a recent upgrade of
> > our network to 100BaseFX unable to handle load -was a cheap card). The
> > system has not since Friday gone down as it was last week, but the
> > above noted error is being logged to the screen far more frequently,
> > (10-30 times per day now).
> > The machine from above is (uname -a):
> >
> > FreeBSD home.wmptl.com 4.1-20000729-STABLE FreeBSD 4.1-20000729-STABLE
> > #1: Thu Apr 19 16:53:54 EDT 2001
> > nvidican@home.wmptl.com:/usr/src/sys/compile/wmp2 i386
> >
> > I would greatly appreciate any thoughts, comments, or insight into
> > the problem that anyone could share. This one's not making any sense to
> > me; could it be some sort of DOS attack? If any more information
> > required to give a better understanding of what's going on, please
> > email me and I will attempt to clearify in more detail than this email
> > does.
>
> It' a hack attempt with an old Linux kiddie script. Never affected FreeBSD,
> and no longer works on Linux. I wouldn't worry about it, we get that three
> or four times a day.
>
> Beech
As for your other probs, you may be the victim of other hack attempts. I
would enable log_in_vain on your kernel, and see who's trying your ports.
Beech
-------------------------------------------------------------------
Beech Rintoul - IT Manager - Instructor - akbeech@anchoragerescue.org
/"\ ASCII Ribbon Campaign | Anchorage Gospel Rescue Mission
\ / - NO HTML/RTF in e-mail | P.O. Box 230510
X - NO Word docs in e-mail | Anchorage, AK 99523-0510
/ \ -----------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01042310333602.01587>