> On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote:
> > The following appeared in /var/log/messages in my daily 
> logcheck report:
> > 
> > Oct  8 20:38:47 curly rpc.statd: invalid hostname to sm_stat:
> > 
> ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185
> 9x%hnM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > 
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
> > Oct  8 20:38:47 curly /kernel: -^PM-^PM-^P
> > 
> > At that time, I was sitting on the couch watching the Cubs play the
> > Marlins.
> > Any idea what this means?
> 
> This is an attempt to exploit an old Linux rpc.statd
> vulnerability..see the mailing list archives for extensive discussion
> a few years ago.

OK, I got some good info from the archives.
I realize this is a harmless attack if running FBSD.
I also realize that I shouldn't be running rpc on an interface facing
the internet.
For various reasons, this server is outside my hardware firewall, and
I'm not interested in configuring a software firewall.
Correct me if I'm wrong, but it looks to me like rpc.statd is related
(at least) to NFS.
I've placed the line "nfs_server_flags="-h 192.168.254.2" in my
/etc/rc.conf, and rebooted.
I've also edited /etc/ssh/sshd_config, and told it to listen only on
192.168.254.2, and not allow root logins.
Am I now protected from this attack? (note rpc.stat lines below)

[EMAIL PROTECTED] ~]# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN
ADDRESS
charles  sshd       194    4 tcp4   192.168.254.2:22
192.168.254.4:4341
root     sshd       192    4 tcp4   192.168.254.2:22
192.168.254.4:4341
root     nmbd       164    6 udp4   *:137                 *:*
root     nmbd       164    7 udp4   *:138                 *:*
root     nmbd       164    8 udp4   192.168.254.2:137     *:*
root     nmbd       164    9 udp4   192.168.254.2:138     *:*
root     smbd       162   12 tcp4   *:445                 *:*
root     smbd       162   13 tcp4   *:139                 *:*
root     sendmail   116    4 tcp4   127.0.0.1:25          *:*
root     sshd       113    3 tcp4   192.168.254.2:22      *:*
root     inetd      109    4 tcp4   *:21                  *:*
root     inetd      109    5 tcp4   *:110                 *:*
root     rpc.stat    95    3 udp4   *:1013                *:*
root     rpc.stat    95    4 tcp4   *:1022                *:*
root     mountd      87    3 udp4   *:1023                *:*
root     mountd      87    4 tcp4   *:1023                *:*
daemon   portmap     85    3 udp4   *:111                 *:*
daemon   portmap     85    4 tcp4   *:111                 *:*
root     syslogd     81    5 udp4   *:514                 *:*

[EMAIL PROTECTED] ~]# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Mon Sep 22 08:28:22 2003
# Created: Mon Sep 22 08:28:22 2003
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.254.254"
hostname="curly.howse.no-ip.org"
ifconfig_tx0="inet 192.168.254.2  netmask 255.255.255.0"
kern_securelevel_enable="NO"
moused_enable="NO"
moused_type="NO"
nfs_server_enable="YES"
nfs_server_flags="-h 192.168.254.2"
portmap_enable="YES"
mountd_flags="-l"
nfs_client_enable="YES"
saver="daemon"
sendmail_enable="NO"
sshd_enable="YES"
usbd_enable="NO"
ntpdate_enable="YES"
ntpdate_flags="time.nist.gov"
xntpdate_enable="YES"
syslogd_enable="YES"
syslog_flags="-ss"
clear_tmp_enable="YES"







_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to