Re: error msg

To: Giacomo Mulas <gmulas@ca.astro.it>
Cc: "Liu, GuangYu" <GuangYu.Liu@AP.ATT.com>, debian-security@lists.debian.org
Subject: Re: error msg
From: Mathias Palm <Mathias.Palm@gmx.net>
Date: Tue, 30 Jul 2002 10:28:12 +0200
Message-id: <[🔎] 20020730082812.GA521@Osterstein>
In-reply-to: <[🔎] Pine.LNX.4.44.0207300943360.4101-100000@capitanata.ca.astro.it>
References: <[🔎] 561AEC667E20D311A9450090274F6DB9E70A14@ATTAPABDCSYD> <[🔎] Pine.LNX.4.44.0207300943360.4101-100000@capitanata.ca.astro.it>

On Tue, Jul 30, 2002 at 09:51:19AM +0200, Giacomo Mulas wrote:
> On Tue, 30 Jul 2002, Liu, GuangYu wrote:
> 
> > Hi there,
> > 	Anybody knows what caused the following error message:
> >
> > Jul 30 13:16:35 liugy rpc.statd[298]: gethostbyname error for
> > ^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1
> 
> it means somebody tried to cause a buffer overflow on your rpc.statd to
> gain access to your computer. The very fact that you saw that log line and
> that rpc.statd is still running means that the attempt failed (it was an

I am not sure about that. I got once attacked in a similiar manner where
the attacker managed to get him/herself an account on the maschine in 
question and to reboot it. The only reason the attack didn't go
further was that the attacker forgot to generate an own ssh-key and
could not log in (only public-key login allowed) 

Mathias

> old bug and hopefully you are running a non-vulnerable version of
> rpc.statd). You should nonetheless do a couple of things:
> 
> 1) determine where the attack came from: if it came from within your
> network it means that either you have a malicious user or (more likely) a
> compromised host already. In this latter case, take down the compromised
> host, examine it carefully and clean it up before putting it back online.
> 
> 2) determine whether you actually need rpc.statd (and/or any other
> RPC based daemons) running on that computer and, if you don't actually
> need them, don't run them!
> 
> 3) if you do need them (e.g. you need to export NFS file systems) restrict
> access to all of these relatively fragile services to trusted hosts, using
> hosts.allow, hosts.deny and/or firewalling.
> 
> The net is becoming a dangerous place, if you aren't cautious.
> 
> Bye
> Giacomo
> 
> -- 
> _________________________________________________________________
> 
> Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
> _________________________________________________________________
> 
> OSSERVATORIO ASTRONOMICO DI CAGLIARI
> Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
> 
> Tel.: +39 070 71180 248     Fax : +39 070 71180 222
> _________________________________________________________________
> 
> "When the storms are raging around you, stay right where you are"
>                          (Freddy Mercury)
> _________________________________________________________________
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- error msg
  - From: "Liu, GuangYu" <GuangYu.Liu@AP.ATT.com>
- Re: error msg
  - From: Giacomo Mulas <gmulas@ca.astro.it>

Prev by Date: Re: error msg
Next by Date: Re: error msg
Previous by thread: Re: error msg
Next by thread: Re: error msg
Index(es):
- Date
- Thread