Unusual logcheck entry
setantae at submonkey.net
Thu Oct 9 06:35:13 PDT 2003
On Thu, Oct 09, 2003 at 07:16:45AM -0500, Charles Howse wrote:
> > On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote:
> > > The following appeared in /var/log/messages in my daily
> > logcheck report:
> > >
> > > Oct 8 20:38:47 curly rpc.statd: invalid hostname to sm_stat:
> > >
> > ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185
> > 9x%hnM-^PM
> > > At that time, I was sitting on the couch watching the Cubs play the
> > > Marlins.
> > > Any idea what this means?
> > This is an attempt to exploit an old Linux rpc.statd
> > vulnerability..see the mailing list archives for extensive discussion
> > a few years ago.
> OK, I got some good info from the archives.
> I realize this is a harmless attack if running FBSD.
> I also realize that I shouldn't be running rpc on an interface facing
> the internet.
> For various reasons, this server is outside my hardware firewall, and
> I'm not interested in configuring a software firewall.
> Correct me if I'm wrong, but it looks to me like rpc.statd is related
> (at least) to NFS.
> I've placed the line "nfs_server_flags="-h 192.168.254.2" in my
> /etc/rc.conf, and rebooted.
> I've also edited /etc/ssh/sshd_config, and told it to listen only on
> 192.168.254.2, and not allow root logins.
> Am I now protected from this attack? (note rpc.stat lines below)
You were anyway; this never affected FreeBSD.
However, I'd also add portmap_flags="-h 192.168.254.2" to your rc.conf
if I were you. I'd also reconsider the decision not to run a firewall.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031009/caf01b80/attachment-0001.bin
More information about the freebsd-questions