[Snort-users] RPC statdx exploit against DNS... WTF?
nlindq at ...3834...
Mon Mar 25 11:09:20 EST 2002
Every once in a while (between one and five times/month) I get a
snort alert on "RPC EXPLOIT statdx," directed to UDP port 53 on my
nameserver. Many of these attacks appear to originate from Asia, but
I suppose a single UDP packet is quite spoofable, so there are no
My nameserver isn't running any RPC services, and bind is fully
patched, AFAIK. I haven't been able to find any references which
would lead me to believe that named is vulnerable to the RPC statdx
exploit, so I'm awfully curious as to why anyone would be trying to
launch this exploit against my nameserver.
Is this alert actually a misidentification of an attack against bind?
Or are the script kiddies just getting overzealous and trying every
known exploit against the only open ports on the box?
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the Snort-users