Hi gang, Like all good (or at least passably competent) systems administrators, I use logcheck to mail me anything out of the ordinary that turns up in my logs each night. Last night, I found something that I can only guess is a buffer overflow attempt. Here is the relevant part of the log (note that the plusses come from mutt's wrapping of the line): Aug 26 19:28:01 callisto Aug 26 19:28:01 callisto syslogd: Cannot glue message parts together Aug 26 19:28:01 callisto 173>Aug 26 19:28:01 /sbin/rpc.statd[282]: gethostbyname +error for +^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x +%n%10x%n%192x%n???????????????????????????????????????????????????????????????? +??????????????????????????????????????????????????????????????????????????????? +??????????????????????????????????????????????????????????????????????????????? +??????????????????????????????????????????????????????????????????????????????? +??????????????????????????????????????????????????????????????????????????????? +??????????????????????????????????????????????????????????????????????????????? +??????????????????????????????????????????????????????????????????????????????? +??????????????????????????????????????????????????????????????????????????????? +???????????????????????????????????????????????????????????????????????????????+??????????????????????????????????????????????????????????????????????????????? +??????????????????????????????????????????????????????????????????????????????? +?????1??|Y?A^P?A^H???A^D?????^A?f???^B?Y^L?A^N??A^H^P?I^D?A^D^L?^A?f???^D?f???^ +E0??A^D?f? Aug 26 19:28:01 callisto ?^F/bin?F^D/shA0??F^G?v^L?V^P?N^L???^K???^A???^???? Aug 26 19:28:03 callisto This happened twice last night, and also a few days previously. Is this likely to be an attack attempt or is something just misconfigured somewhere? Snort didn't pick up anything, but it might be something that is newer than my snort rules. The fact that there is a /bin/sh in amongst the garbage suggests to me that it's an attempted buffer overflow. (FWIW, I do use NFS on this machine, but somehow the `ipchains -P input DENY' was absent from my firewall script, so I didn't have a default DENY rule covering all the non-blocked priveleged ports. This is now fixed.) I'm assuming that the machine was not compromised, because this is still in the logs, all the relevant debsums check out, and I'm running the latest potato, for which hopefully there is no known major security holes. However, this may be a niave assumption on my part... What I'm wondering is if there is any way to find out where this attempt (if that's what it was) came from. There are a bunch of numbers that look like an IP at the start of the garbage, might that be it? I'm also running ippl (which I just tested, which goes nuts when I do a stealth scan with nmap) and portsentry, and there has been no indication recently of a portscan or anything like that. Nothing to indicate anyone has been paying unusual attention to my network or system (this machine is also the gateway to the network). cheers, damon (who hopes that his computer forensics is up to scratch and/or that he's not just being too paranoid!) -- Damon Muller (dm-sig6@empire.net.au) / It's not a sense of humor. * Criminologist / It's a sense of irony * Webmeister / disguised as one. * Linux Geek / - Bruce Sterling - Running Debian GNU/Linux: Doing my bit for World Domination (tm) -
Attachment:
pgpZs5Lgoe17O.pgp
Description: PGP signature