Re: rpc.statd attack?
On Tue, Jan 09, 2001 at 12:31:59PM -0800, crusius@stanford.edu wrote:
> I got the following (alarming) messages on syslog:
>
> Jan 8 13:34:23 yuban syslogd: Cannot glue message parts together Jan
> 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
> ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8
> x%236x%n%137x%n%10x%n%192x%n\220
> it looks like an attack (specially when I see /bin/sh hidden in
> there). I searched the lists and it seems that this problem should
> have been corrected before potato was released. Any reason for
> worries, or is there any reason why I should think it was an
> unsuccessful attack?
If it had been a successful attack, the %x and %n's in the above would
not have come through to syslog; it would have crashed well beforehand.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
Reply to: