Snort mailing list archives
RPC statdx exploit against DNS... WTF?
From: "Nels Lindquist" <nlindq () maei ca>
Date: Mon, 25 Mar 2002 12:08:26 -0700
Hi there. Every once in a while (between one and five times/month) I get a snort alert on "RPC EXPLOIT statdx," directed to UDP port 53 on my nameserver. Many of these attacks appear to originate from Asia, but I suppose a single UDP packet is quite spoofable, so there are no guarantees. My nameserver isn't running any RPC services, and bind is fully patched, AFAIK. I haven't been able to find any references which would lead me to believe that named is vulnerable to the RPC statdx exploit, so I'm awfully curious as to why anyone would be trying to launch this exploit against my nameserver. Is this alert actually a misidentification of an attack against bind? Or are the script kiddies just getting overzealous and trying every known exploit against the only open ports on the box? Any ideas? ---- Nels Lindquist <*> Information Systems Manager Morningstar Air Express Inc. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RPC statdx exploit against DNS... WTF? Nels Lindquist (Mar 25)
- Re: RPC statdx exploit against DNS... Matt Kettler (Mar 25)