Unusual logcheck entry
Charles Howse
chowse at charter.net
Thu Oct 9 05:16:58 PDT 2003
> On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote:
> > The following appeared in /var/log/messages in my daily
> logcheck report:
> >
> > Oct 8 20:38:47 curly rpc.statd: invalid hostname to sm_stat:
> >
> ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185
> 9x%hnM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> >
> -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^
> PM-^PM-^PM
> > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
> > Oct 8 20:38:47 curly /kernel: -^PM-^PM-^P
> >
> > At that time, I was sitting on the couch watching the Cubs play the
> > Marlins.
> > Any idea what this means?
>
> This is an attempt to exploit an old Linux rpc.statd
> vulnerability..see the mailing list archives for extensive discussion
> a few years ago.
OK, I got some good info from the archives.
I realize this is a harmless attack if running FBSD.
I also realize that I shouldn't be running rpc on an interface facing
the internet.
For various reasons, this server is outside my hardware firewall, and
I'm not interested in configuring a software firewall.
Correct me if I'm wrong, but it looks to me like rpc.statd is related
(at least) to NFS.
I've placed the line "nfs_server_flags="-h 192.168.254.2" in my
/etc/rc.conf, and rebooted.
I've also edited /etc/ssh/sshd_config, and told it to listen only on
192.168.254.2, and not allow root logins.
Am I now protected from this attack? (note rpc.stat lines below)
[root at curly ~]# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN
ADDRESS
charles sshd 194 4 tcp4 192.168.254.2:22
192.168.254.4:4341
root sshd 192 4 tcp4 192.168.254.2:22
192.168.254.4:4341
root nmbd 164 6 udp4 *:137 *:*
root nmbd 164 7 udp4 *:138 *:*
root nmbd 164 8 udp4 192.168.254.2:137 *:*
root nmbd 164 9 udp4 192.168.254.2:138 *:*
root smbd 162 12 tcp4 *:445 *:*
root smbd 162 13 tcp4 *:139 *:*
root sendmail 116 4 tcp4 127.0.0.1:25 *:*
root sshd 113 3 tcp4 192.168.254.2:22 *:*
root inetd 109 4 tcp4 *:21 *:*
root inetd 109 5 tcp4 *:110 *:*
root rpc.stat 95 3 udp4 *:1013 *:*
root rpc.stat 95 4 tcp4 *:1022 *:*
root mountd 87 3 udp4 *:1023 *:*
root mountd 87 4 tcp4 *:1023 *:*
daemon portmap 85 3 udp4 *:111 *:*
daemon portmap 85 4 tcp4 *:111 *:*
root syslogd 81 5 udp4 *:514 *:*
[root at curly ~]# cat /etc/rc.conf
# -- sysinstall generated deltas -- # Mon Sep 22 08:28:22 2003
# Created: Mon Sep 22 08:28:22 2003
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.254.254"
hostname="curly.howse.no-ip.org"
ifconfig_tx0="inet 192.168.254.2 netmask 255.255.255.0"
kern_securelevel_enable="NO"
moused_enable="NO"
moused_type="NO"
nfs_server_enable="YES"
nfs_server_flags="-h 192.168.254.2"
portmap_enable="YES"
mountd_flags="-l"
nfs_client_enable="YES"
saver="daemon"
sendmail_enable="NO"
sshd_enable="YES"
usbd_enable="NO"
ntpdate_enable="YES"
ntpdate_flags="time.nist.gov"
xntpdate_enable="YES"
syslogd_enable="YES"
syslog_flags="-ss"
clear_tmp_enable="YES"
More information about the freebsd-questions
mailing list