[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: error msg

On Tue, 30 Jul 2002, Liu, GuangYu wrote:

> Hi there,
> 	Anybody knows what caused the following error message:
> Jul 30 13:16:35 liugy rpc.statd[298]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1

it means somebody tried to cause a buffer overflow on your rpc.statd to
gain access to your computer. The very fact that you saw that log line and
that rpc.statd is still running means that the attempt failed (it was an
old bug and hopefully you are running a non-vulnerable version of
rpc.statd). You should nonetheless do a couple of things:

1) determine where the attack came from: if it came from within your
network it means that either you have a malicious user or (more likely) a
compromised host already. In this latter case, take down the compromised
host, examine it carefully and clean it up before putting it back online.

2) determine whether you actually need rpc.statd (and/or any other
RPC based daemons) running on that computer and, if you don't actually
need them, don't run them!

3) if you do need them (e.g. you need to export NFS file systems) restrict
access to all of these relatively fragile services to trusted hosts, using
hosts.allow, hosts.deny and/or firewalling.

The net is becoming a dangerous place, if you aren't cautious.



Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>

Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 248     Fax : +39 070 71180 222

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: