On Thu, Oct 09, 2003 at 07:16:45AM -0500, Charles Howse wrote:
> > On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote:
> > > The following appeared in /var/log/messages in my daily 
> > logcheck report:
> > > 
> > > Oct  8 20:38:47 curly rpc.statd: invalid hostname to sm_stat:
> > > 
> > ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185
> > 9x%hnM-^PM

        <snip>

> > > At that time, I was sitting on the couch watching the Cubs play the
> > > Marlins.
> > > Any idea what this means?
> > 
> > This is an attempt to exploit an old Linux rpc.statd
> > vulnerability..see the mailing list archives for extensive discussion
> > a few years ago.
> 
> OK, I got some good info from the archives.
> I realize this is a harmless attack if running FBSD.
> I also realize that I shouldn't be running rpc on an interface facing
> the internet.
> For various reasons, this server is outside my hardware firewall, and
> I'm not interested in configuring a software firewall.
> Correct me if I'm wrong, but it looks to me like rpc.statd is related
> (at least) to NFS.
> I've placed the line "nfs_server_flags="-h 192.168.254.2" in my
> /etc/rc.conf, and rebooted.
> I've also edited /etc/ssh/sshd_config, and told it to listen only on
> 192.168.254.2, and not allow root logins.
> Am I now protected from this attack? (note rpc.stat lines below)

You were anyway; this never affected FreeBSD.

However, I'd also add portmap_flags="-h 192.168.254.2" to your rc.conf
if I were you.  I'd also reconsider the decision not to run a firewall.

Ceri
-- 

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to