<quote who="andy">
> The IP addresses don't seem to mean much other than one of them is mine
> ! (dial up so it varies each time)
whois <ip address>
> The same thing happened on RH6.2 just before I got attacked (though this
> could be just coincidence) but I beleive the vulnerability exploited in
> my case was via rpc.statd (they loaded 'luckroot' onto my system plus a
> rootkit. Unfortunately NFS uses rpc.statd for its locking (?) schemes
> so I can't just ditch it.
Ditch NFS on your "firewall"! There is no reason to have it on there; if you
require NFS for a fileserver, put it behind the firewall.
You could also set up ipchains/iptables to block it, but you should really
just pull NFS enitrely. Don't run anything on the machine that isn't
required, and if it's a known security problem already (which rpc and
portmap most definitely are), get it off the box. :)
- Jeff
--
"World domination is a community responsibility." - Michael Hall,
LinuxPlanet
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
