On Sun, Aug 27, 2000 at 02:06:07PM +1100, Damon Muller wrote: > Aug 26 19:28:01 callisto > Aug 26 19:28:01 callisto syslogd: Cannot glue message parts together > Aug 26 19:28:01 callisto 173>Aug 26 19:28:01 /sbin/rpc.statd[282]: > gethostbyname > +error for > +^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x [snip] > +E0??A^D?f? > Aug 26 19:28:01 callisto > ?^F/bin?F^D/shA0??F^G?v^L?V^P?N^L???^K???^A???^???? > Aug 26 19:28:03 callisto > > This happened twice last night, and also a few days previously. > > Is this likely to be an attack attempt or is something just > misconfigured somewhere? Snort didn't pick up anything, but it might be > something that is newer than my snort rules. The fact that there is a > /bin/sh in amongst the garbage suggests to me that it's an attempted > buffer overflow. it is a buffer overflow against rpc.statd, check to see what version of nfs-common you have, if its less then Version: 1:0.1.9.1-1 you have probably been compromised, if that is the version you have your probably fine. one of the things these exploits did was add a line to /etc/inetd to run /bin/sh for any connections to a certain port. so i would look for anything unusal in your /etc/inetd.conf just to be sure. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpUGNYtB1ScZ.pgp
Description: PGP signature