From Harlan.Stenn@pfcs.com  Thu Aug  2 22:13:23 2001
Return-Path: <Harlan.Stenn@pfcs.com>
Received: from mail.innovativeinternet.net (mail.innovativeinternet.net [208.244.164.7])
	by hub.freebsd.org (Postfix) with ESMTP id 643E137B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  2 Aug 2001 22:13:23 -0700 (PDT)
	(envelope-from Harlan.Stenn@pfcs.com)
Received: from pcpsj.pfcs.com (harlan.xecu.net [216.127.150.112])
	by mail.innovativeinternet.net (Postfix) with ESMTP id 7E0332741
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 Aug 2001 01:13:21 -0400 (EDT)
Received: from puss.pfcs.com (puss.pfcs.com [192.52.69.46])
	by pcpsj.pfcs.com (Postfix) with ESMTP id 28FC4D38F
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 Aug 2001 01:13:13 -0400 (EDT)
Received: from harlan@localhost
	by puss.pfcs.com (8.11.4/8.11.4)
	id <f735D0753182-harlan>;
	Fri, 3 Aug 2001 01:13:00 -0400 (EDT)
Message-Id: <200108030513.f735D0753182@puss.pfcs.com>
Date: Fri, 3 Aug 2001 01:13:00 -0400 (EDT)
From: harlan <Harlan.Stenn@pfcs.com>
Reply-To: harlan <Harlan.Stenn@pfcs.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Log the IP of incoming rpc.statd overflow attacks
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         29406
>Category:       bin
>Synopsis:       Log the IP of incoming rpc.statd overflow attacks
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 02 22:20:00 PDT 2001
>Closed-Date:    Thu Jul 11 10:45:30 PDT 2002
>Last-Modified:  Thu Jul 11 10:45:30 PDT 2002
>Originator:     harlan
>Release:        FreeBSD 4.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD puss.pfcs.com 4.3-STABLE FreeBSD 4.3-STABLE #4: Sat Jul 7 04:43:03 EDT 2001 root@spot.pfcs.com:/usr/obj/usr/src/sys/XRAM i386


>Description:
	While FreeBSD does not appear to be vulnerable to the statd buffer
	overflow attacks, I thought it might be useful to attempt to log
	the IP of the apparent attacker.

	This is just a first pass at attempting to log this info...
>How-To-Repeat:
	
>Fix:

usr.sbin/rpc.statd/:

--- procs.c-    Sat Jun  2 00:34:41 2001
+++ procs.c     Sat Jun  2 00:37:50 2001
@@ -63,7 +63,8 @@
   if (gethostbyname(arg->mon_name)) res.res_stat = stat_succ;
   else
   { 
-    syslog(LOG_ERR, "invalid hostname to sm_stat: %s", arg->mon_name);
+    syslog(LOG_ERR, "invalid hostname to sm_stat from %s: %s",
+          inet_ntoa(req->rq_xprt->xp_raddr), arg->mon_name);
     res.res_stat = stat_fail;
   }
 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: dd 
Responsible-Changed-When: Sat Aug 11 13:04:19 PDT 2001 
Responsible-Changed-Why:  
misfiled 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29406 
State-Changed-From-To: open->closed 
State-Changed-By: alfred 
State-Changed-When: Thu Jul 11 10:45:07 PDT 2002 
State-Changed-Why:  
Change has been checked into FreeBSD 5.x. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29406 
>Unformatted:
