Re: rpc.statd

To: Alexander Hvostov <vulture@aoi.dyndns.org>
Cc: Robert Bartels <rbartels@qx.net>, debian-security@lists.debian.org
Subject: Re: rpc.statd
From: "Sander Smeenk \(CistroN Medewerker\)" <ssmeenk@cistron.nl>
Date: Mon, 9 Apr 2001 00:18:50 +0200
Message-id: <20010409001850.A10372@cistron.nl>
In-reply-to: <20010408154620.48dd8024.vulture@aoi.dyndns.org>; from vulture@aoi.dyndns.org on Sun, Apr 08, 2001 at 03:46:20PM -0700
References: <MGEDJOMNEECFEHABEGMFCEOMCKAA.rbartels@qx.net> <20010408154620.48dd8024.vulture@aoi.dyndns.org>

Quoting Alexander Hvostov (vulture@aoi.dyndns.org):
> On Sun, 8 Apr 2001 18:04:54 -0400
> "Robert Bartels" <rbartels@qx.net> wrote:
> 
> > I saw this in my logs today.
> > 
> > Apr  8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
> > It looks like statd is still running. Is rpc still vulnerable? 
> > Is there a way to track down who connected to rpc.statd?

Try installing iploggers (tcplogd, icmplogd), these tools report the 
IP address of the user connecting to your system... 

You'll get messages like:

Apr  9 00:17:57 recalcitrant tcplogd: smtp connection attempt from 
                                      recalcitrant [127.0.0.1]

Hope that helps tracking evil users :]

Regards,
Sander.

-- 
| He who laughs last is probably your boss.
| Cistron Internet: php/c/perl/html/c++/sed/awk/linux/sql/cgi/security
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8  9BDB D463 7E41 08CE C94D

Reply to:

Follow-Ups:
- Re: rpc.statd
  - From: andrea@debian.org

References:
- rpc.statd
  - From: "Robert Bartels" <rbartels@qx.net>
- Re: rpc.statd
  - From: Alexander Hvostov <vulture@aoi.dyndns.org>

Prev by Date: Re: rpc.statd
Next by Date: Re: rpc.statd
Previous by thread: Re: rpc.statd
Next by thread: Re: rpc.statd
Index(es):
- Date
- Thread