On Sun, 8 Apr 2001, "James R. Van Zandt" <[EMAIL PROTECTED]> wrote:
>
> My Linux box was apparently subjected to a buffer overflow attack. This
> message was dumped into every virtual terminal:
> Message from syslogd@vanzandt at Sun Apr 8 17:39:29 2001 ...
> vanzandt
Your output looks a lot like the report at:
http://www.cert.org/advisories/CA-2000-17.html
have a look and check with your linux distro if the rpc.statd you
were running has been patched.
A good way to avoid these is to use ipchains to deny all traffic to
the rpc services. Then the attacker never even gets his exploit data
to the rpc.statd process.
The way I do this is to:
1) Deny all incoming TCP (SYN=1 ACK=0) packets except to services
I want to export to the outside world (e.g.: none).
2) Deny all UDP traffic, except from/to my DNS servers.
This can be done at boot time even before interface ppp0 is up.
Perhaps someone on the list has a simple ipchains-calling script
that does this and would like to post it to the list.
Karl
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
