[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange entry in syslog

I've been getting the same errors too.  We also have script kiddies going at
our machines, but there's no way to tell if the two are related.  I'm not
getting hundreds of these messages though, just one or two per day.

Bind did have a known overflow exploit a little while ago - I suspect this
is it.

----- Original Message -----
From: "Mailing List" <maillist@jasonlim.com>
To: "Debian-ISP-List" <debian-isp@lists.debian.org>
Sent: Saturday, January 27, 2001 7:32 AM
Subject: Re: Strange entry in syslog


> Interestingly, I've been seeing that on many servers we operate.
> We run unstable though...
>
> Sometimes we get hundreds of those messages, with exactly the same
problems
> you experienced.
> We always thought some script-kiddie was trying to find some buffer
overflow
> shxt on us. Is it?
>
> Jason Lim
>
> ----- Original Message -----
> From: "Marek L. Kozak" <marko@terabajt.pl>
> To: "Debian-ISP-List" <debian-isp@lists.debian.org>
> Sent: Saturday, 27 January, 2001 3:25 AM
> Subject: Strange entry in syslog
>
>
> Hello,
>
> I found this in my syslog today:
> Jan 26 01:39:38 myhost
> Jan 26 01:39:38 myhost /sbin/rpc.statd[156]: gethostbyname error for
> ^X÷˙
> ż^X÷
> ˙ż^Y
> ÷˙ż^
> Y÷˙ż
> ^Z÷˙
> ż^Z÷
> ˙ż^
> [÷˙ż
> ^[÷˙
> ż%8x
> %8x%
> 8x%8
> x%8x
> %8x%
> 8x%8
> x%8x
> %236
> x%n%
> 137x
> %n%1
> 0x%n
> %192
> x%n\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
> 220\
>
220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
>
> Then some lines with earlier time and again:
> Jan 26 01:39:38 myhost
> Jan 26 01:39:38 myhost syslogd: Cannot glue message parts together
> Jan 26 01:39:38 myhost /sbin/rpc.statd[156]: gethostbyname error for
> _here_goes_the_same_long_line_returned_by_gethostbyname_
>
> Some told me it might be e worm called Raven, but it attacks some RedHat
> systems. Anyway I didn't find any signs of the worm on my potato.
> Any ideas ?
> --
> Regards,
> Marek L. Kozak
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Reply to: