Re: buffer overflows in rpc.statd?

From: David La Croix (dlacroix@cowpie.acm.vt.edu)
Date: 01/25/01


From: David La Croix <dlacroix@cowpie.acm.vt.edu>
To: hetzels@westbend.net (Scot W. Hetzel)
Date: Thu, 25 Jan 2001 12:04:32 -0600 (CST)

I started seeing this kind of activity on my servers beginning around
August. I don't specifically log the reports, but looking at the
packet refused counters on my IPFW rules, they do continue.

I don't know what the consensus is about adding logging of network details
about this stuff to rpc.statd, but you can capture logs of any/all network
activity you want by adding the "log" directive to a firewall rule. Not
sure how much value those logs will be, since there's a significant amount
of forged IP headers, source routing, etc espescially among 5kr1pt k1dd135.

man ipfw.

BTW... not that I know of any specific exploits for Rpc.* family servers,
but I would recommend setting up firewall rules to prevent anyone you
don't trust from accessing those services (or any other services you
might be paranoid about). Even better, make sure your server and clients
are behind a firewall that prevents source-routed/forged packets from
the outside from spoofing as a part of your lan.

> From: "Scot W. Hetzel" <hetzels@westbend.net>
> >
> > Anybody have an Ideal as to what this is?
> >
> > Jan 25 03:27:48 spare rpc.statd: invalid hostname to sm_stat:
> >
> ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7
> > \x
>
> Thanks, Chris for letting us know it's a linux exploit.
>
> Is there anyway that we can find the IP address of the script kiddie using
> this exploit so we can inform their ISP.
>
> Thanks,
>
> Scot
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • I can get to site via IP, not by name
    ... firewall rule which allows perimeter servers to get to Internet via HTTP is ... I do have a rule allowing me to query DNS from my external servers in place. ... perimeter network are not pulling DNS queries? ...
    (microsoft.public.windows.server.dns)
  • Re: SMTP question - Exchange 2003
    ... >is still coming directly into the back end servers. ... the firewall rule only permits incoming tcp 25 to get to the FE then ... Close the rule that allows SMTP into the BE. ... Create a connector that ...
    (microsoft.public.exchange.admin)