[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Breakin Attempt? Tracking source

Hi gang,

Like all good (or at least passably competent) systems administrators, I
use logcheck to mail me anything out of the ordinary that turns up in my
logs each night. Last night, I found something that I can only guess is
a buffer overflow attempt. Here is the relevant part of the log (note
that the plusses come from mutt's wrapping of the line):

Aug 26 19:28:01 callisto
Aug 26 19:28:01 callisto syslogd: Cannot glue message parts together
Aug 26 19:28:01 callisto 173>Aug 26 19:28:01 /sbin/rpc.statd[282]:
+error for
Aug 26 19:28:01 callisto
Aug 26 19:28:03 callisto

This happened twice last night, and also a few days previously.

Is this likely to be an attack attempt or is something just
misconfigured somewhere? Snort didn't pick up anything, but it might be
something that is newer than my snort rules. The fact that there is a
/bin/sh in amongst the garbage suggests to me that it's an attempted
buffer overflow.

(FWIW, I do use NFS on this machine, but somehow the `ipchains -P input
DENY' was absent from my firewall script, so I didn't have a default
DENY rule covering all the non-blocked priveleged ports. This is now

I'm assuming that the machine was not compromised, because this is still
in the logs, all the relevant debsums check out, and I'm running the
latest potato, for which hopefully there is no known major security
holes. However, this may be a niave assumption on my part...

What I'm wondering is if there is any way to find out where this attempt
(if that's what it was) came from. There are a bunch of numbers that
look like an IP at the start of the garbage, might that be it?

I'm also running ippl (which I just tested, which goes nuts when I do a
stealth scan with nmap) and portsentry, and there has been no indication
recently of a portscan or anything like that. Nothing to indicate anyone
has been paying unusual attention to my network or system (this machine
is also the gateway to the network).


damon (who hopes that his computer forensics is up to scratch and/or
that he's not just being too paranoid!)

Damon Muller (dm-sig6@empire.net.au) /  It's not a sense of humor.
* Criminologist                     /  It's a sense of irony
* Webmeister                       /  disguised as one.
* Linux Geek                      /     - Bruce Sterling 

- Running Debian GNU/Linux: Doing my bit for World Domination (tm) -

Attachment: pgpZs5Lgoe17O.pgp
Description: PGP signature

Reply to: