Re: rpc.statd hacking but firewalled

To: hanasaki <hanasaki@microlink.net>
Cc: Debian-User List <debian-user@lists.debian.org>
Subject: Re: rpc.statd hacking but firewalled
From: Curtis Hogg <buckminst@inconnu.isu.edu>
Date: Mon, 12 Mar 2001 01:38:53 -0700 (MST)
Message-id: <[🔎] Pine.LNX.4.32.0103120135020.11511-100000@inconnu.isu.edu>
In-reply-to: <[🔎] 3AAC4B3E.2AFF77FB@microlink.net>

i don't recall what port rpc.statd binds to, but what it is is a part of
the NFS system, so disabling rpc.statd, i think, will also break NFS
mounting on your side. you can still mount remote systems i think.

And, yes, it is a hack attempt.. by some scriptkiddie trying to use a
common buffer overflow in rpc.statd... only problem is that the's using
the Solaris overflow, not the I386 one... see all those \220s? those are
Solaris NOOP codes used to overflow the buffer. x86 NOOPs are \90 iirc...

at any rate, turn off NFS and you turn off rpc.statd. You could use a
program like snort to alert you to other attacks like the one directed at
your machine

you might want to check your /etc/services to see if it says where
rpc.statd usually sticks itself.

hope this helps any

-- Curtis Hogg [buckminst@inconnu.isu.edu]
----------------------------------------------

The  White Rabbit put on his spectacles.
	"Where shall  I  begin, please your Majesty ?" he asked.
	"Begin at the beginning,", the King said, very gravely, "and go on
till you come to the end: then stop."
		-- Lewis Carroll
----------------------------------------------
Email 1 - buckminst@inconnu.isu.edu
Email 2 - buckminst@hotmail.com
WWW - [in transit]

On Sun, 11 Mar 2001, hanasaki wrote:

> The following showed up in my syslog the other day.... Is this possbile
> hacking?
>
> What port is rpc.statd on?
> What does it do?
> What will break if it is turned off? and how to turn it off?
> Only a few, selected ports, are listened on.  The last rule in my
> firewall script is ipchains -l -A input -i eth0 -j DENY.
>
> thank you.
>
>   ------------------------------------------------------------------------
>
> Mar 11 17:55:25 hostname /sbin/rpc.statd[156]: gethostbyname error for
> ^X<F7><FF>
> <BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z<F7><FF><BF>^[<F7>
>
> <FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> Mar 11 17:55:25 hostname
> <C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\21
> 1<F3><B0>^K<CD>\200<B0>^A<CD>\200<E8>\177<FF><FF><FF>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: rpc.statd hacking but firewalled
  - From: Ethan Benson <erbenson@alaska.net>

References:
- rpc.statd hacking but firewalled
  - From: hanasaki <hanasaki@microlink.net>

Prev by Date: Postgresql: What can I do now? Fwd: Cron <postgres@giger> [ -x /usr/lib/postgresql/bin/do.maintenance ] && /usr/lib/postgresql/bin/do.maintenance -a
Next by Date: Mail question
Previous by thread: rpc.statd hacking but firewalled
Next by thread: Re: rpc.statd hacking but firewalled
Index(es):
- Date
- Thread