RPC statdx exploit against DNS... WTF?

["Nels Lindquist" <nlindq () maei ca>]

Hi there.

Every once in a while (between one and five times/month) I get a 
snort alert on "RPC EXPLOIT statdx," directed to UDP port 53 on my 
nameserver.  Many of these attacks appear to originate from Asia, but 
I suppose a single UDP packet is quite spoofable, so there are no 
guarantees.

My nameserver isn't running any RPC services, and bind is fully 
patched, AFAIK.  I haven't been able to find any references which 
would lead me to believe that named is vulnerable to the RPC statdx 
exploit, so I'm awfully curious as to why anyone would be trying to 
launch this exploit against my nameserver.

Is this alert actually a misidentification of an attack against bind? 
Or are the script kiddies just getting overzealous and trying every 
known exploit against the only open ports on the box?

Any ideas?

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users