[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: your mail

On Sat, Sep 15, 2001 at 12:51:26 -0400, Russell Speed wrote:
> I am curious if the following is an example of a buffer overflow.

It looks like an attempt to exploit a buffer overflow. IIRC the fact that it
got logged to syslog means it didn't work.

> I changed the passwords - and added an entry to the input chain to block
> the IP, but am wondering what other things I should do? 

In general, if you believe your system to be compromised, the only thing way
to be sure there is no backdoor installed is to reinstall from scratch and
restore important data from backups.

> Should I remove /bin/sh for something less obvious as a general protection
> from buffer overflows?

No, that's akin to fighting symptoms rather than causes.

> Sep  9 21:27:43 gw /sbin/rpc.statd[336]: gethostbyname error for

I'm not aware of recent vulnerabilities in portmapper or NFS. Those that are
commonly probed for have been fixed in Debian for months, if not years. If
you've been r00ted, portmap/NFS is unlikely to have been the vulnerable

Have you contacted the user that connected from the IP you didn't recognize?
There might be a straightforward explanation.

RUMOUR  Believe all you hear. Your world may  not be a better one than the one
the blocks  live in but it'll be a sight more vivid.      
    - The Hipcrime Vocab by Chad C. Mulligan  

Reply to: