Unknown Server Lockup - (k)syslog hack!

To: Debian List <debian-user@lists.debian.org>
Subject: Unknown Server Lockup - (k)syslog hack!
From: Account for Debian group mail <debian@pcez.com>
Date: Tue, 20 Apr 1999 13:05:46 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.990420130038.5231D-100000@mail.pcez.com>

I had 2 different server lock ups in the last week.  In a reply to a email
on another list someone suggested that this is a "syslog hack exploit".

I see nothing in the debian.org pages about this and we do have the
lastest version of sysklogd (1.3-31).  Has anyone heard about this
problem?  Is there a fix for it?  Please see the email below about
details.

Thanks,

Ken Rea

---------- Forwarded message ----------
Date: Tue, 20 Apr 1999 14:45:34 -0400
From: Matthew Prentice <mprentice@WESTLAKE.COM>
Reply-To: Linux Servers mailing list <SERVER-LINUX@netspace.org>
To: SERVER-LINUX@netspace.org
Subject: Re: Unknown Server Lockup

Ken,

It's a syslog hack exploit.  Make sure you have the most up-to-date
(k)syslog.

You might be able to rescue your system if you have a session
as root (either on the console, or telnet and then su to root).  You won't
be able to login after the exploit has been attempted.  If you already
have the root session established then you should be able to stop and
restart the klog and syslog processes and everything should be okay
(except you still have a vulnerable system).

I think there are some versions of syslog that claim to fix
the exploit but still lock up.  I upgraded a system of ours to a package
that claimed to fix the problem but the machine still locked up.  After I
upgraded to the next revision everything is fine.  I see some attempts in
the logs but the system keeps churning along without a hitch.

Matthew R. Prentice                             matthew@westlake.com
Director of Information Systems                         703-522-6500
WestLake Internet Training                          www.westlake.com

On Tue, 20 Apr 1999, Ken Rea wrote:

> One of our servers has taken to locking up twice in the last week.  The
> machine is a Pentium class machine that runs a Debian distribution with a
> 2.0.36 kernel. It has been running fine since last July with out any
> problems.
>
> The only thing the logs show is a bunch of "^@^@^@^@^@^@^" in the syslog
> file and thats it! With a monitor on the server I see nothing, just a
> blank screen.  The only thing that can be done is to re-start the machine.
>
> Anyone run into this before?  I don't have a clue on what to look at.
>
> Thanks,
>
> Ken Rea
> wildcat@pcez.com

Reply to:

Prev by Date: Adobe Type1 Fonts in X
Next by Date: Re: debian-user-digest Digest V99 #706
Previous by thread: Re: Debian/Redhat Alliance
Next by thread: Re: debian-user-digest Digest V99 #706
Index(es):
- Date
- Thread