ok, with all this talking about rpc security holes, even though i've
port-scanned and edited my initd.conf file, and pruned out everything i can
think of to prune, the following still shows up in netstat -a:
tcp0 0 *:sunrpc*:* LISTEN
udp0 0 *:1171
certainly does smell like some shell code (although some of the other
characters look like an Asian character set being misinterpreted). Best
bet is to set up some IPChains/Tables rules with a Default-Deny stance and
then allow in from the outside only the very minimal required based on your
Definitely a security problem. But the fact that you actually saw
something is good news .. it means the exploit didn't work. If it had
worked, the thing would just die quietly and not log anything. Better off
without rpc anyway, unless you *need* it for NFS or something
similar. And if you re
On Wed, May 23, 2001 at 10:58:43PM -0700, Wade Richards wrote:
> Yep, it's a security problem. Someone is trying to hack into your system
> using one of many known security bugs in the rpc daemon.
>
> If you don't need the rpc stuff running, then just disable it (better yet,
> uninstall it).
Yep, it's a security problem. Someone is trying to hack into your system
using one of many known security bugs in the rpc daemon.
If you don't need the rpc stuff running, then just disable it (better yet,
uninstall it). If you really do need it running, but it's only used
locally, then I sug
Hello,
Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat
6.x box in under 30 seconds with a rpc exploit from a clean install) Turn
that stuff OFF.
Ed
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 24, 2001 1:08 AM
T
Heya :)
I was running a 'tail -f' on my /var/log/messages and this entry appeared while
I was connected to the internet:
May 24 10:08:11 noogies -- MARK --
May 24 10:20:34 noogies
May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8
On 23-May-01, 10:18 (CDT), Simon Huggins <[EMAIL PROTECTED]> wrote:
> On Tue, May 22, 2001 at 08:37:26PM +0100, Dave Smith wrote:
> > originating from port 80 of different computers on the internet.
> ^
[snip]
> > web browsers send requests to. Replies from web servers do
On Wed, May 23, 2001 at 05:18:04PM +0200, Simon Huggins wrote:
> On Tue, May 22, 2001 at 08:37:26PM +0100, Dave Smith wrote:
> > (Please do not CC me on mail sent to this list; I subscribe to and
> > read every list I post to.)
>
> But do you read every post of every list you post to?
> (sorry it
On Tue, May 22, 2001 at 08:37:26PM +0100, Dave Smith wrote:
...
> originating from port 80 of different computers on the internet.
^
On Wed, May 23, 2001 at 08:56:55AM -0500, Steve Greenland wrote:
> On 22-May-01, 16:50 (CDT), Chris Boyle <[EMAIL PROTECTED]> wrote:
> > Fi
On 23-May-01, 10:18 (CDT), Simon Huggins <[EMAIL PROTECTED]> wrote:
> On Tue, May 22, 2001 at 08:37:26PM +0100, Dave Smith wrote:
> > originating from port 80 of different computers on the internet.
> ^
[snip]
> > web browsers send requests to. Replies from web servers d
On 22-May-01, 16:50 (CDT), Chris Boyle <[EMAIL PROTECTED]> wrote:
> Firstly be aware that these are probably just responses from web servers
> you're browsing if they don't have the SYN (establish connection) flag set
> (80 is http).
Nope.
Port 80 is http _server_ -- this is port web servers
On Wed, May 23, 2001 at 05:18:04PM +0200, Simon Huggins wrote:
> On Tue, May 22, 2001 at 08:37:26PM +0100, Dave Smith wrote:
> > (Please do not CC me on mail sent to this list; I subscribe to and
> > read every list I post to.)
>
> But do you read every post of every list you post to?
> (sorry it
On Tue, May 22, 2001 at 08:37:26PM +0100, Dave Smith wrote:
...
> originating from port 80 of different computers on the internet.
^
On Wed, May 23, 2001 at 08:56:55AM -0500, Steve Greenland wrote:
> On 22-May-01, 16:50 (CDT), Chris Boyle <[EMAIL PROTECTED]> wrote:
> > F
On 22-May-01, 16:50 (CDT), Chris Boyle <[EMAIL PROTECTED]> wrote:
> Firstly be aware that these are probably just responses from web servers
> you're browsing if they don't have the SYN (establish connection) flag set
> (80 is http).
Nope.
Port 80 is http _server_ -- this is port web servers
Bonjour, Le nouveau site de loterie www.bingofolie.com vient de voir le jour.
Le principe est très simple : cocher 7 numéros sur les 49 de la grille et
validez.Ces grilles vous rapportent des points(Foli'z). Quand vous avez assez
de Foli'z, vous avez des cadeaux, vous choisissez, vous
Bonjour, Le nouveau site de loterie www.bingofolie.com vient de voir le jour.
Le principe est très simple : cocher 7 numéros sur les 49 de la grille et validez.Ces
grilles vous rapportent des points(Foli'z). Quand vous avez assez de Foli'z, vous avez
des cadeaux, vous choisissez, vous c
17 matches
Mail list logo
