Bugtraq mailing list archives

portmaper/process table flood exploit?

From: lordvadr () POBOX COM (C.J. Oster)
Date: Tue, 4 May 1999 13:41:07 -0500


Aleph, my apologies if this has already been posted.  I did a quick search
and didn't find anything.

Early this morning my machine crashed because of a ypserv flood on
portmap.  I'm not sure exactly what happened because of my lack of
familiarity with nis and portmap.  Here's the logs.

May  2 04:02:16 localhost portmap[1556]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 04:02:28 localhost portmap[1557]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 04:03:13 localhost portmap[1559]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 04:03:17 bh-ridgway portmap[1560]: connect from 130.126.85.3 to callit(ypserv): request from unauthorized host
.
.
.
.
May  2 05:00:57 localhost portmap[1943]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 05:01:07 loralhost portmap[1946]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host
May  2 05:01:19 localhost portmap[1947]: connect from 130.126.85.3 to
callit(ypserv): request from unauthorized host

254 of them, then bang, dead.  I'm assuming it's a process table flood or
something of the sort.  Or perhapse a portmap exploit that I'm not aware
of.  I run 2.2.5, dual pentium 200mmx, and the offending machine is
another linux machine running the 2.1 or the 2.2 kernel (at least that's
what queso says).  Any ideas? Thanks in advance.

-CJO-


                C.J. Oster (Linux Guru/Surge Addict)
------------------------------------------------------------------
| cjo () pobox com   |   910 S. 3rd St, #1218  |        CCSO, WSG, UIUC  |
| oster () uiuc edu  |   Champaign, IL 61820   |        1443 DCL, Urbana |
| ---------------------------------------------------------------|
|    PGP: 87D5 4216 43A1 42D6 754D  8F5E 24B3 992A B7A1 F556     |
------------------------------------------------------------------
                   (580)761-6393 (217)328-8934
      "Linux, for people with an IQ above 98" - Bumper Sticker
 "Hm, a little big for a cup holder... Why does it say '4x' on it?"

Current thread:

Re: Buffer overflow in ftpd and locate bug [tgo] (Apr 30)
- <Possible follow-ups>
- Re: Buffer overflow in ftpd and locate bug Przemyslaw Frasunek (May 02)
  - Re: Buffer overflow in ftpd and locate bug Eugeny Kuzakov (May 03)
    - Re: Buffer overflow in ftpd and locate bug Andrew Pitman (May 06)
  - CALL FOR PAPERS: EICAR 2000 -- Student Scholarships (fwd) Ken Williams (May 04)
  - portmaper/process table flood exploit? C.J. Oster (May 04)
- Re: Buffer overflow in ftpd and locate bug Crispin Cowan (May 03)