portmaper/process table flood exploit?

From: C.J. Oster (lordvadrat_private)
Date: Tue May 04 1999 - 11:41:07 PDT

Next message: Toby Chamberlain: "Re: Outlook 98 allows spoofing internal users"

Previous message: Ken Williams: "CALL FOR PAPERS: EICAR 2000 -- Student Scholarships (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aleph, my apologies if this has already been posted.  I did a quick search
and didn't find anything.

Early this morning my machine crashed because of a ypserv flood on
portmap.  I'm not sure exactly what happened because of my lack of
familiarity with nis and portmap.  Here's the logs.

May  2 04:02:16 localhost portmap[1556]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 04:02:28 localhost portmap[1557]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 04:03:13 localhost portmap[1559]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 04:03:17 bh-ridgway portmap[1560]: connect from 130.126.85.3 to callit(ypserv): request from unauthorized host
.
.
.
.
May  2 05:00:57 localhost portmap[1943]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 05:01:07 loralhost portmap[1946]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 05:01:19 localhost portmap[1947]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host

254 of them, then bang, dead.  I'm assuming it's a process table flood or
something of the sort.  Or perhapse a portmap exploit that I'm not aware
of.  I run 2.2.5, dual pentium 200mmx, and the offending machine is
another linux machine running the 2.1 or the 2.2 kernel (at least that's
what queso says).  Any ideas? Thanks in advance.

-CJO-


                C.J. Oster (Linux Guru/Surge Addict)
------------------------------------------------------------------
| cjoat_private   |   910 S. 3rd St, #1218  |	CCSO, WSG, UIUC  |
| osterat_private  |   Champaign, IL 61820   |	1443 DCL, Urbana |
| ---------------------------------------------------------------|
|    PGP: 87D5 4216 43A1 42D6 754D  8F5E 24B3 992A B7A1 F556     |
------------------------------------------------------------------
		   (580)761-6393 (217)328-8934
      "Linux, for people with an IQ above 98" - Bumper Sticker
 "Hm, a little big for a cup holder... Why does it say '4x' on it?"

Next message: Toby Chamberlain: "Re: Outlook 98 allows spoofing internal users"
Previous message: Ken Williams: "CALL FOR PAPERS: EICAR 2000 -- Student Scholarships (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:50 PDT