Re: remote attack?

To: "Christian T. Steigies" <cts@debian.org>
Cc: debian-user@lists.debian.org
Subject: Re: remote attack?
From: Damian Menscher <menscher@uiuc.edu>
Date: Mon, 18 Dec 2000 10:43:46 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.21.0012181039320.4729-100000@intellx1.physics.uiuc.edu>
Reply-to: Damian Menscher <menscher@uiuc.edu>
In-reply-to: <[🔎] 20001218052348.A31506@debian.org>

On Mon, 18 Dec 2000, Christian T. Steigies wrote:

> Hi,
> seems my machine was subject to an remote attack. I saw these in the logs:
> 
> Dec 16 05:10:03 ap031 rpc.statd[21964]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> [...]
> 
> How can I find out where the attack came from? Plus I hope that a woody
> machine is not vulnerable?

Unless there was more in your logs, you don't find out where it came
from.  In any case, that attack was published in mid-July.  Debian 2.2
and 2.3 are both listed as vulnerable.  The fix (for Debian) was in
nfs-common_0.1.9.1-1, so if you're running that version or later then
you're safe.  Otherwise, you might want to take a *very* close look at
your system and consider reinstalling.

For more information on the attack go to www.securityfocus.com and do a
search on statd.

HTH,

Damian Menscher
-- 
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--

Reply to:

References:
- remote attack?
  - From: "Christian T. Steigies" <cts@debian.org>

Prev by Date: Re:Still no luck with modversions (compiling alsa)
Next by Date: console fonts that can handle box characters?
Previous by thread: remote attack?
Next by thread: Best entry level scanner & USB/P for Potato?
Index(es):
- Date
- Thread