Your example shows local IP addresses for the refused hosts, if this is the case it is possibly just network noise.
Paranoid rant follows: The (unfortunately) more likely case is that you are being scanned for the latest statd vulnerability. If you have the latest nfs-common package you are safe (you should also have a kernel version of 2.2.16 minimum). I lost 50+ machines to this about a week ago (they were all shutdown before mr. skriptkiddie came back, but the break-in went through 6 class c subnets in about 3min setting up back doors) My particular instance setup root shells listening on port 199, entered in /etc/inetd.conf so you might want to look there and see if there's a suspicious "smux" line. This is what was done once they got root, not the vulnerability, so lack of this line may simply indicate a different use of it. If you have a new kernel an nfs-common Version: 1:0.1.9.1-1, no worries, you can just laugh the scan off (if that's what it was) On Thu, Aug 24, 2000 at 12:49:13PM +0900, Olaf Meeuwissen wrote: :Dear all, : :I've been seeing entries like below in my logs for a while. : : Aug 24 12:38:01 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host : Aug 24 12:38:04 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host : :and : : Aug 24 12:43:34 bilbo portmap[27659]: connect from 172.16.a.b to getport(300598): request from unauthorized host : :I've implemented a default deny-all policy in /etc/hosts.deny with : : ALL : ALL : :My /etc/hosts.allow effectively reads : : nmbd smbd : 172.16. : :>From the log messages I assume that the portmap connect attempts fail :(as per policy), but what do these connect attempts mean? Is someone :trying to crack my server or something? I did challenge our network :admin ... :-- :Olaf Meeuwissen Epson Kowa Corporation, Research and Development : : :-- :Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
