Thanks for the quick reply! "Jonathan D. Proulx" <[EMAIL PROTECTED]> writes:
> Your example shows local IP addresses for the refused hosts, if this > is the case it is possibly just network noise. > > Paranoid rant follows: > > The (unfortunately) more likely case is that you are being scanned for > the latest statd vulnerability. If you have the latest nfs-common > package you are safe (you should also have a kernel version of 2.2.16 > minimum). I lost 50+ machines to this about a week ago (they were all > shutdown before mr. skriptkiddie came back, but the break-in went > through 6 class c subnets in about 3min setting up back doors) I don't have NFS packages installed, running 2.2.17 generic kernel. I installed potato afresh right after it became stable from a local mirror and made sure all md5sums were OK (before installing from a freshly downloaded Packages file). Haven't installed much: base tarball, tob/afio/cron/exim, samba and apache. Even purged telnet, ftp, ppp, pppconfig, pump and pcmcia-cs. > My particular instance setup root shells listening on port 199, > entered in /etc/inetd.conf so you might want to look there and see if > there's a suspicious "smux" line. This is what was done once they got > root, not the vulnerability, so lack of this line may simply indicate > a different use of it. No smux in there. > If you have a new kernel an nfs-common Version: 1:0.1.9.1-1, no > worries, you can just laugh the scan off (if that's what it was) > > > On Thu, Aug 24, 2000 at 12:49:13PM +0900, Olaf Meeuwissen wrote: > :Dear all, > : > :I've been seeing entries like below in my logs for a while. > : > : Aug 24 12:38:01 bilbo portmap[27641]: connect from 172.16.x.y to > callit(390109): request from unauthorized host > : Aug 24 12:38:04 bilbo portmap[27641]: connect from 172.16.x.y to > callit(390109): request from unauthorized host > : > :and > : > : Aug 24 12:43:34 bilbo portmap[27659]: connect from 172.16.a.b to > getport(300598): request from unauthorized host > : > :I've implemented a default deny-all policy in /etc/hosts.deny with > : > : ALL : ALL > : > :My /etc/hosts.allow effectively reads > : > : nmbd smbd : 172.16. > : > :>From the log messages I assume that the portmap connect attempts fail > :(as per policy), but what do these connect attempts mean? Is someone > :trying to crack my server or something? I did challenge our network > :admin ... -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development
