[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Got hacked by Ramen-style attack



Thomas Amm <thomas.amm@fh-zwickau.de> wrote:

|> that's what I found in my logs after I had to reboot my 
|> Router, which also worked as print server (Now I know better)
|> because of a DoS.

Exactly the same messages here (in /var/log/sys.log and
/var/log/messages). See my earlier posting:

     To: debian-user@lists.debian.org 
     Subject: LPRNG vulnerability [was Re: weird messages in syslog] 
     From: Jim McCloskey <mcclosk@ling.ucsc.edu> 
     Date: Wed, 21 Nov 2001 10:29:16 -0800 
     CC: debian-security@lists.debian.org 
     References: <E166Lt0-00063w-00@localhost> 

I am using lprng 3.8.0 from Debian testing. I am not running nmbd.
There are no messages in the logs about accepted or refused
connections that seem to be related to the incident.

|> So there are some questions, I would like to pose :
|> Is Woody's lprng still vulnerable ? I've got the latest version.

I think it must be.

|> Is the shown exploit a sign that someone already was in there, or just for
|> an 
|> attempt 
|> ?
|> Can I find possible backdoors, or will I have to re-install ?

I also would love answers to these questions. I've not managed to find
any signs of damage so far, and the incident didn't bring the system
down, but I'm very nervous ...

Jim

PS here are the relevant messages:

----------------------------------------------------------------------
Nov 20 01:18:12 localhost SERVER[21311]: Dispatch_input: bad request line 'BB??????????\
??????XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%303$n\220\220\220\2\
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
.............

2201?1?1??F?\200\211?1??f\211?1?\211?C\211]?C\211]?K\211M?\215M??\2001?\211
Nov 20 01:18:13 localhost SERVER[21312]: Dispatch_input: bad request line 'BB(???)???*?\
??+???XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$n%.192u%303$n\220\220\22\
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2\
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\

repeated then at one second intervals between 01:18:12 and
01:18:47---the same message followed by the same long sequence of
garbage-characters, with a new PID each time.
----------------------------------------------------------------------



Reply to: