On Mon, 18 Dec 2000, Christian T. Steigies wrote: > Hi, > seems my machine was subject to an remote attack. I saw these in the logs: > > Dec 16 05:10:03 ap031 rpc.statd[21964]: gethostbyname error for > ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > [...] > > How can I find out where the attack came from? Plus I hope that a woody > machine is not vulnerable?
Unless there was more in your logs, you don't find out where it came from. In any case, that attack was published in mid-July. Debian 2.2 and 2.3 are both listed as vulnerable. The fix (for Debian) was in nfs-common_0.1.9.1-1, so if you're running that version or later then you're safe. Otherwise, you might want to take a *very* close look at your system and consider reinstalling. For more information on the attack go to www.securityfocus.com and do a search on statd. HTH, Damian Menscher -- --==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==-- --==## <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==-- --==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
