Re: your mail
On Sat, Sep 15, 2001 at 12:51:26 -0400, Russell Speed wrote:
> I am curious if the following is an example of a buffer overflow.
It looks like an attempt to exploit a buffer overflow. IIRC the fact that it
got logged to syslog means it didn't work.
> I changed the passwords - and added an entry to the input chain to block
> the IP, but am wondering what other things I should do?
In general, if you believe your system to be compromised, the only thing way
to be sure there is no backdoor installed is to reinstall from scratch and
restore important data from backups.
> Should I remove /bin/sh for something less obvious as a general protection
> from buffer overflows?
No, that's akin to fighting symptoms rather than causes.
> Sep 9 21:27:43 gw /sbin/rpc.statd: gethostbyname error for
I'm not aware of recent vulnerabilities in portmapper or NFS. Those that are
commonly probed for have been fixed in Debian for months, if not years. If
you've been r00ted, portmap/NFS is unlikely to have been the vulnerable
Have you contacted the user that connected from the IP you didn't recognize?
There might be a straightforward explanation.
RUMOUR Believe all you hear. Your world may not be a better one than the one
the blocks live in but it'll be a sight more vivid.
- The Hipcrime Vocab by Chad C. Mulligan