Preface: rpc.mountd overflowLogo -Internet Security Systems

rpc.mountd overflow
advICE :Intrusions : 2001706
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

An intruder has attempted to exploit the Linux mountd buffer overflow.

Details

This is an extremely common attack on the Internet. Most versions of Linux, up until the middle of 1998, were vulnerable to this exploit. It is a typical buffer overflow problem where the attacker passes in a filename that is much too large,

When an attacker attempts to exploit this bug, you may see other signs of abnormal behavior. For example, syslog might complain of a filename that is too long. Like most buffer overflows, the "filename" will consist mostly of a single character repeated over and over in a long string.

Defense

Many new users of Linux mistakenly expose services to the Internet. They install all the packages of interest, which opens about 20-30 ports (TCP and UDP) to the Internet. However, this likely opens up ports that hackers can break into. Users should go into their /etc/inetd.conf and disable all unnecessary services.

 more information
CERT: CA-98.12.mountd  
 
BugtraqID: 121   Multiple Vendor Linux Mountd Vulnerability
Describes which versions of Linux are vulnerable.  
CVE-1999-0002   mountd overflow
 
advICE: Buffer overflows  
More about this general class of attacks, which is the root cause of many attacks on the Internet.  

 parametric information
lengthThe length field - this number is larger than expected, thus indicating a possible buffer overflow attempt.

 
Version appeared:
Privacy Policy |  Copyright Info