On Tue, Jul 30, 2002 at 09:51:19AM +0200, Giacomo Mulas wrote: > On Tue, 30 Jul 2002, Liu, GuangYu wrote: > > > Hi there, > > Anybody knows what caused the following error message: > > > > Jul 30 13:16:35 liugy rpc.statd[298]: gethostbyname error for > > ^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 > > it means somebody tried to cause a buffer overflow on your rpc.statd to > gain access to your computer. The very fact that you saw that log line and > that rpc.statd is still running means that the attempt failed (it was an
I am not sure about that. I got once attacked in a similiar manner where the attacker managed to get him/herself an account on the maschine in question and to reboot it. The only reason the attack didn't go further was that the attacker forgot to generate an own ssh-key and could not log in (only public-key login allowed) Mathias > old bug and hopefully you are running a non-vulnerable version of > rpc.statd). You should nonetheless do a couple of things: > > 1) determine where the attack came from: if it came from within your > network it means that either you have a malicious user or (more likely) a > compromised host already. In this latter case, take down the compromised > host, examine it carefully and clean it up before putting it back online. > > 2) determine whether you actually need rpc.statd (and/or any other > RPC based daemons) running on that computer and, if you don't actually > need them, don't run them! > > 3) if you do need them (e.g. you need to export NFS file systems) restrict > access to all of these relatively fragile services to trusted hosts, using > hosts.allow, hosts.deny and/or firewalling. > > The net is becoming a dangerous place, if you aren't cautious. > > Bye > Giacomo > > -- > _________________________________________________________________ > > Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> > _________________________________________________________________ > > OSSERVATORIO ASTRONOMICO DI CAGLIARI > Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) > > Tel.: +39 070 71180 248 Fax : +39 070 71180 222 > _________________________________________________________________ > > "When the storms are raging around you, stay right where you are" > (Freddy Mercury) > _________________________________________________________________ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
