Exodus: this is bad

Tue Nov 17 12:26:42 UTC 1998

You guys might be overlooking a very major security hole with linux,
besides bind. Rpc.Mountd. If you haven't patched yet, do so now, because
exploits have been publically available for a while now and this is a
remote attack that will compromise root. The easiest thing to do if you
don't have time to sit and upgrade every linux box on your network with
the latest rpc.mountd, or kill it off, or whatever you plan on doing,
might be to just go on your router and put up an access-list denying all
inbound connections on port 111 (the rpc portmapper). Even though its
pretty trivial to guess what port rpc.mountd is on (2049) instead of using
the portmapper, the exploits aren't configured to do so (at least not ot
my knowledge). And if you're still worried you could firewall both 111 and
2049. Well good luck. 8)

On Mon, 16 Nov 1998, William S. Duncanson wrote:

> I think he meant the compromised hosts, or the hosts that the attacks were
> coming from, were all RH 5.1 with an old rev of BIND.  My 3.0-current box
> with 8.1.2 handled it fine, as well.
> 
> At 22:30 11/16/98 -0500, Adam Rothschild wrote:
> >On Mon, 16 Nov 1998, Edward S. Marshall wrote:
> >
> >> The attacked hosts have all exhibited the same characteristics: stock Red
> >> Hat 5.1 install, running (probably) the stock named that came with it,
> >
> >Not entirely true.  I watched a FreeBSD 2.2.x/BIND 8.1.2 box get tickled
> >harmlessy...
> >
> >Go to bed, porscanning twit kiddies.  It's late now, and Teletubbies ain't
> >on. 8-)
> >
> >
> 
> 
> William S. Duncanson                      caesar at starkreality.com
> The driving force behind the NC is the belief that the companies who brought us
> things like Unix, relational databases, and Windows can make an appliance that
> is inexpensive and easy to use if they choose to do that.  -- Scott Adams 
> 