Re: Got hacked by Ramen-style attack

To: "Thomas Amm" <thomas.amm@fh-zwickau.de>
Cc: <debian-security@lists.debian.org>
Subject: Re: Got hacked by Ramen-style attack
From: "SaDIKuZboy" <sadikuzboy@libero.it>
Date: Thu, 22 Nov 2001 14:54:45 +0100
Message-id: <[🔎] 02ce01c1735d$4096c520$fa64a8c0@raposinho>
References: <20011122120621.A331@tom> <[🔎] 20011122135029.A1340@tom>

try to :
nmap -I -O -P0 127.0.0.1
ps ax
and see if you see something strange
for more help from me just paste tables in an email

note: once i had socklist ... a program that could tell u which programs
keeps sockets up
note2: look, no sock opens doesnt mean u re without any backdoor ... a sock
can open on an event such as time-trigger or icmp trigger ... so u should
monitor more that machine

SaDIKuZboy
----- Original Message -----
From: "Thomas Amm" <thomas.amm@fh-zwickau.de>
To: <debian-security@lists.debian.org>
Sent: Thursday, November 22, 2001 1:50 PM
Subject: Got hacked by Ramen-style attack


>
> On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi all,
>
> that's what I found in my logs after I had to reboot my
> Router, which also worked as print server (Now I know better)
> because of a DoS.
>
>
> Nov 21 03:29:36 lan1 -- MARK --
> Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line
>
'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.
192u
>
%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1É
²?ÐÍ
> ÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
> Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line
>
'BB(ñÿ¿)ñÿ¿*ñÿ¿+ñÿ¿XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$
n%.1
>
92u%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍ
Ã1É²
> ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
> Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH
> (and so on) - the lpr.log shows the same entries.
>
> I searched the system for fragments of the Ramen worm after reboot but I
> found
> nothing
> suspicious.
> The attack seemed to come over nmbd, although all ports, exept inetd are
> blocked to the
> outside
> vi ipchains. I had a number of rejected packets to port 137 immediately
> before,
> nmbd crashed
> and
> the lprng exploit started.
> So there are some questions, I would like to pose :
> Is Woody's lprng still vulnerable ? I've got the latest version.
> Is the shown exploit a sign that someone already was in there, or just for
> an
> attempt
> ?
> Can I find possible backdoors, or will I have to re-install ?
>
> Thanks,
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je
> ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t
> =8csx
> -----END PGP SIGNATURE-----
>
> --
> Things are more like they are today than they ever were before.
> -- Dwight Eisenhower
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: Got hacked by Ramen-style attack
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>

References:
- Got hacked by Ramen-style attack
  - From: Thomas Amm <thomas.amm@fh-zwickau.de>

Prev by Date: Got hacked by Ramen-style attack
Next by Date: Re: Got hacked by Ramen-style attack
Previous by thread: Got hacked by Ramen-style attack
Next by thread: Re: Got hacked by Ramen-style attack
Index(es):
- Date
- Thread