[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Breakin Attempt? Tracking source

On Sun, Aug 27, 2000 at 02:06:07PM +1100, Damon Muller wrote:

> Aug 26 19:28:01 callisto
> Aug 26 19:28:01 callisto syslogd: Cannot glue message parts together
> Aug 26 19:28:01 callisto 173>Aug 26 19:28:01 /sbin/rpc.statd[282]:
> gethostbyname
> +error for
> +^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x
> +E0??A^D?f?
> Aug 26 19:28:01 callisto
> ?^F/bin?F^D/shA0??F^G?v^L?V^P?N^L???^K???^A???^????
> Aug 26 19:28:03 callisto
> This happened twice last night, and also a few days previously.
> Is this likely to be an attack attempt or is something just
> misconfigured somewhere? Snort didn't pick up anything, but it might be
> something that is newer than my snort rules. The fact that there is a
> /bin/sh in amongst the garbage suggests to me that it's an attempted
> buffer overflow.

it is a buffer overflow against rpc.statd, check to see what version
of nfs-common you have, if its less then Version: 1: you have
probably been compromised, if that is the version you have your
probably fine.

one of the things these exploits did was add a line to /etc/inetd to
run /bin/sh for any connections to a certain port.  so i would look
for anything unusal in your /etc/inetd.conf just to be sure. 

Ethan Benson

Attachment: pgpUGNYtB1ScZ.pgp
Description: PGP signature

Reply to: