Re: syslog messages
Marcel Welschbillig wrote:
> Hi,
>
> Im getting these strange entries in my syslog file. Can anyone shed some
> light on what this means ?
>
> Feb 21 14:03:35 jbeam
> Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together
> Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for
> ^X<F7><FF>
> <BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z<F7><FF><BF>^[<F7>
> <FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220
blah blah blah
> Thanks in advance !
>
> Marcel
Something along the lines of an old statd exploit. I believe this DSA[1]
is the one that covers it, and also this CERT Advisory [2]. I would
personally believe that the attack was unsuccessful, since it did write
it to the log (rather than crash and give the attacker a shell), but the
CERT advisory leads me to think otherwise. Check your version of nfs,
0.1.9.1-1 or better should be fixed.
[1] http://www.debian.org/security/2000/20000719a
[2] http://www.cert.org/advisories/CA-2000-17.html
Hope I have helped.
- Will Wesley, CCNA
"Furious activity is no substitute for understanding."
-- H.H. Williams
Reply to: