On Mon, Apr 09, 2001 at 12:23:06AM +0200, andrea@debian.org wrote: > On Mon, Apr 09, 2001 at 12:18:50AM +0200, Sander Smeenk (CistroN Medewerker) wrote: > > > > > > > I saw this in my logs today. > > > > > > > > Apr 8 15:08:43 mikado rpc.statd[179]: gethostbyname error for > > > > It looks like statd is still running. Is rpc still vulnerable? > > > > Is there a way to track down who connected to rpc.statd? > > > Maybe if the rcp.statd is not dedicated to the whole internet you > can use ipchains/iptables to filter the access and logging the > attempt of connection (with the -l flag). easier said then done, statd allocates a random (usually privileged) port and registers it with the portmapper. blocking it with ipchains is a pain. about the only way you can do it is to use a script that parses the output of rpcinfo -p localhost to find statd's current port and make a rule for it. that of course breaks as soon as nfs-common gets restarted. either that or block all privileged ports, which is usually not hard to do. some rpc services register on non-privileged ports and they are much harder to block unless you don't mind breaking all kinds of stuff. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpJNRISsQKrJ.pgp
Description: PGP signature