Re: your mail

To: debian-security@lists.debian.org
Subject: Re: your mail
From: "J.H.M. Dassen \(Ray\)" <jhm@cistron.nl>
Date: Sat, 15 Sep 2001 19:05:10 +0200
Message-id: <[🔎] 20010915190510.B14189@cistron.nl>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 1000572686.1207.29.camel@rover>; from rfspeed@attcanada.ca on Sat, Sep 15, 2001 at 12:51:26PM -0400
References: <[🔎] 1000572686.1207.29.camel@rover>

On Sat, Sep 15, 2001 at 12:51:26 -0400, Russell Speed wrote:
> I am curious if the following is an example of a buffer overflow.

It looks like an attempt to exploit a buffer overflow. IIRC the fact that it
got logged to syslog means it didn't work.

> I changed the passwords - and added an entry to the input chain to block
> the IP, but am wondering what other things I should do? 

In general, if you believe your system to be compromised, the only thing way
to be sure there is no backdoor installed is to reinstall from scratch and
restore important data from backups.

> Should I remove /bin/sh for something less obvious as a general protection
> from buffer overflows?

No, that's akin to fighting symptoms rather than causes.

> Sep  9 21:27:43 gw /sbin/rpc.statd[336]: gethostbyname error for

I'm not aware of recent vulnerabilities in portmapper or NFS. Those that are
commonly probed for have been fixed in Debian for months, if not years. If
you've been r00ted, portmap/NFS is unlikely to have been the vulnerable
spot.

Have you contacted the user that connected from the IP you didn't recognize?
There might be a straightforward explanation.

HTH,
Ray
-- 
RUMOUR  Believe all you hear. Your world may  not be a better one than the one
the blocks  live in but it'll be a sight more vivid.      
    - The Hipcrime Vocab by Chad C. Mulligan

Reply to:

References:
- [no subject]
  - From: Russell Speed <rfspeed@attcanada.ca>

Prev by Date: Re: your mail
Next by Date: Re: none
Previous by thread: Re: protecting against buffer overflow.
Next by thread: Re: none
Index(es):
- Date
- Thread