Re: syslog messages

To: Debian-Security List <debian-security@lists.debian.org>
Subject: Re: syslog messages
From: "Will Wesley, CCNA" <willwesleyccna@yahoo.de>
Date: Wed, 20 Feb 2002 18:14:10 -0700
Message-id: <[🔎] 3C7449E2.1732C14F@yahoo.de>
References: <[🔎] 3C744715.5090606@comdek.net.au>

Marcel Welschbillig wrote:
> Hi,
> 
> Im getting these strange entries in my syslog file. Can anyone shed some
> light on what this means ?
> 
> Feb 21 14:03:35 jbeam
> Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together
> Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for
> ^X<F7><FF>
> <BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z<F7><FF><BF>^[<F7>
> <FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220
blah blah blah
> Thanks in advance !
> 
> Marcel

Something along the lines of an old statd exploit. I believe this DSA[1]
is the one that covers it, and also this CERT Advisory [2]. I would
personally believe that the attack was unsuccessful, since it did write
it to the log (rather than crash and give the attacker a shell), but the
CERT advisory leads me to think otherwise. Check your version of nfs,
0.1.9.1-1 or better should be fixed.

[1] http://www.debian.org/security/2000/20000719a
[2] http://www.cert.org/advisories/CA-2000-17.html

Hope I have helped.

- Will Wesley, CCNA
"Furious activity is no substitute for understanding."
		-- H.H. Williams

Reply to:

References:
- syslog messages
  - From: Marcel Welschbillig <marcel@comdek.net.au>

Prev by Date: Re: syslog messages
Next by Date: Re: syslog messages
Previous by thread: Re: syslog messages
Next by thread: PPPoverEthernet vs. PPPoverATM
Index(es):
- Date
- Thread