Re: Got hacked by Ramen-style attack
Thomas Amm <thomas.amm@fh-zwickau.de> wrote:
|> that's what I found in my logs after I had to reboot my
|> Router, which also worked as print server (Now I know better)
|> because of a DoS.
Exactly the same messages here (in /var/log/sys.log and
/var/log/messages). See my earlier posting:
To: debian-user@lists.debian.org
Subject: LPRNG vulnerability [was Re: weird messages in syslog]
From: Jim McCloskey <mcclosk@ling.ucsc.edu>
Date: Wed, 21 Nov 2001 10:29:16 -0800
CC: debian-security@lists.debian.org
References: <E166Lt0-00063w-00@localhost>
I am using lprng 3.8.0 from Debian testing. I am not running nmbd.
There are no messages in the logs about accepted or refused
connections that seem to be related to the incident.
|> So there are some questions, I would like to pose :
|> Is Woody's lprng still vulnerable ? I've got the latest version.
I think it must be.
|> Is the shown exploit a sign that someone already was in there, or just for
|> an
|> attempt
|> ?
|> Can I find possible backdoors, or will I have to re-install ?
I also would love answers to these questions. I've not managed to find
any signs of damage so far, and the incident didn't bring the system
down, but I'm very nervous ...
Jim
PS here are the relevant messages:
----------------------------------------------------------------------
Nov 20 01:18:12 localhost SERVER[21311]: Dispatch_input: bad request line 'BB??????????\
??????XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%303$n\220\220\220\2\
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
.............
2201?1?1??F?\200\211?1??f\211?1?\211?C\211]?C\211]?K\211M?\215M??\2001?\211
Nov 20 01:18:13 localhost SERVER[21312]: Dispatch_input: bad request line 'BB(???)???*?\
??+???XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$n%.192u%303$n\220\220\22\
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2\
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\
repeated then at one second intervals between 01:18:12 and
01:18:47---the same message followed by the same long sequence of
garbage-characters, with a new PID each time.
----------------------------------------------------------------------
Reply to: