* Strange errors in /var/log/messages
@ 2001-07-02 16:05 kernel
2001-07-02 16:11 ` Remco B. Brink
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: kernel @ 2001-07-02 16:05 UTC (permalink / raw)
To: linux-kernel; +Cc: Enforcer
Hi!
I'm running RedHat 7.0 with all official RH patches applied. The kernel I
currently run fow a few days is 2.2.19-7.0.8
I run the pre-compiled kernel of RH. Suddenly I the following messages:
Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
'BBXXXXXXXXXXXXXXXXXX%.176u%3
00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf
<CUT>
Jul 2 15:12:53 gateway SERVER[1152]: Dispatch_input: bad request line
'BBTUVWXXXXXXXXXXXXXXXXXX%.20u%30
0$n%.166u%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf\211
This continued for about half an hour. Then it stopped. What's going on
here??
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: Strange errors in /var/log/messages 2001-07-02 16:05 Strange errors in /var/log/messages kernel @ 2001-07-02 16:11 ` Remco B. Brink 2001-07-02 16:16 ` Alan Cox 2001-07-02 17:00 ` Richard B. Johnson 2 siblings, 0 replies; 8+ messages in thread From: Remco B. Brink @ 2001-07-02 16:11 UTC (permalink / raw) To: kernel; +Cc: linux-kernel, Enforcer <kernel@ddx.a2000.nu> writes: > Hi! > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I > currently run fow a few days is 2.2.19-7.0.8 > I run the pre-compiled kernel of RH. Suddenly I the following messages: <snip error messages> > This continued for about half an hour. Then it stopped. What's going on > here?? Here you have two options: You are either under attack by someone who's trying to exploit your LPRng (someone's trying to use LPR's logging function to get a shell). This is the LPRng string format _syslog bug that theoretically could allow root access. For more info check http://www.securityfocus.com/vdb/bottom.html?vid=1712 The other option is that you're under rpc.statd attack at the moment. In either case, make sure you upgraded to the latest patch versions and subscribe to BugTraq and the Security Focus Incidents mailinglist :) regards, Remco -- Remco B. Brink - SOL Børs A/S systemsdeveloper - http://www.norge-invest.no Personal site at http://rc6.org - PGP/GnuPG key at http://rc6.org/rbb.pgp "What you end up with, after running an operating system concept through these many marketing coffee filters, is something not unlike plain hot water." (By Matt Welsh) ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages 2001-07-02 16:05 Strange errors in /var/log/messages kernel 2001-07-02 16:11 ` Remco B. Brink @ 2001-07-02 16:16 ` Alan Cox 2001-07-02 17:42 ` Guest section DW 2001-07-02 17:00 ` Richard B. Johnson 2 siblings, 1 reply; 8+ messages in thread From: Alan Cox @ 2001-07-02 16:16 UTC (permalink / raw) To: kernel; +Cc: linux-kernel, Enforcer > I'm running RedHat 7.0 with all official RH patches applied. The kernel I > currently run fow a few days is 2.2.19-7.0.8 > I run the pre-compiled kernel of RH. Suddenly I the following messages: > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line > 'BBXXXXXXXXXXXXXXXXXX%.176u%3 > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 These are for an application. Not sure which or why ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages 2001-07-02 16:16 ` Alan Cox @ 2001-07-02 17:42 ` Guest section DW 2001-07-02 19:51 ` kernel 0 siblings, 1 reply; 8+ messages in thread From: Guest section DW @ 2001-07-02 17:42 UTC (permalink / raw) To: Alan Cox, kernel; +Cc: linux-kernel, Enforcer On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote: > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I > > currently run fow a few days is 2.2.19-7.0.8 > > I run the pre-compiled kernel of RH. Suddenly I the following messages: > > > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3 > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > These are for an application. Not sure which or why See CERT Advisory CA-2000-22 http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html "A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect, known as a "format string vulnerability," which may allow remote users to execute arbitrary code on vulnerable systems." ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages 2001-07-02 17:42 ` Guest section DW @ 2001-07-02 19:51 ` kernel 2001-07-03 7:45 ` David Weinehall 0 siblings, 1 reply; 8+ messages in thread From: kernel @ 2001-07-02 19:51 UTC (permalink / raw) To: Guest section DW; +Cc: Alan Cox, linux-kernel, Enforcer On Mon, 2 Jul 2001, Guest section DW wrote: > On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote: > > > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I > > > currently run fow a few days is 2.2.19-7.0.8 > > > I run the pre-compiled kernel of RH. Suddenly I the following messages: > > > > > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line > > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3 > > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > > > These are for an application. Not sure which or why > > See CERT Advisory CA-2000-22 > http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html > > "A popular replacement software package to the BSD lpd printing service > called LPRng contains at least one software defect, known as a "format string > vulnerability," which may allow remote users to execute arbitrary code on > vulnerable systems." I just read the article. It seems somebody tried to exploid a bug in LPRng. Unfortunately I didn't check the TCP/IP connections at the time of attack (with netstat), so I couldn't tell who was connected to port 515. The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23. I assume I'm not vulnerable, but those 'errors' in the logfile really scared the heck out of me! :) To be certain, I just blocked poort 515 for outbound connections. :) Bye the way, sorry this message was off-topic, but I didn't know it was a LPRng issue, not a kernel issue. Thanks! ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages 2001-07-02 19:51 ` kernel @ 2001-07-03 7:45 ` David Weinehall 0 siblings, 0 replies; 8+ messages in thread From: David Weinehall @ 2001-07-03 7:45 UTC (permalink / raw) To: kernel; +Cc: Guest section DW, Alan Cox, linux-kernel, Enforcer On Mon, Jul 02, 2001 at 09:51:44PM +0200, kernel@ddx.a2000.nu wrote: > On Mon, 2 Jul 2001, Guest section DW wrote: > > > On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote: > > > > > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I > > > > currently run fow a few days is 2.2.19-7.0.8 > > > > I run the pre-compiled kernel of RH. Suddenly I the following messages: > > > > > > > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line > > > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3 > > > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > > > > > These are for an application. Not sure which or why > > > > See CERT Advisory CA-2000-22 > > http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html > > > > "A popular replacement software package to the BSD lpd printing service > > called LPRng contains at least one software defect, known as a "format string > > vulnerability," which may allow remote users to execute arbitrary code on > > vulnerable systems." > > I just read the article. It seems somebody tried to exploid a bug in > LPRng. Unfortunately I didn't check the TCP/IP connections at the time of > attack (with netstat), so I couldn't tell who was connected to port 515. > The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23. > I assume I'm not vulnerable, but those 'errors' in the logfile really > scared the heck out of me! :) To be certain, I just blocked poort 515 for > outbound connections. :) > > Bye the way, sorry this message was off-topic, but I didn't know it was a > LPRng issue, not a kernel issue. A good idea is to block all ports, then open only those you know needs to be open. Paranoia is good. /David _ _ // David Weinehall <tao@acc.umu.se> /> Northern lights wander \\ // Project MCA Linux hacker // Dance across the winter sky // \> http://www.acc.umu.se/~tao/ </ Full colour fire </ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages 2001-07-02 16:05 Strange errors in /var/log/messages kernel 2001-07-02 16:11 ` Remco B. Brink 2001-07-02 16:16 ` Alan Cox @ 2001-07-02 17:00 ` Richard B. Johnson 2001-07-02 18:23 ` [OT] " Ville Herva 2 siblings, 1 reply; 8+ messages in thread From: Richard B. Johnson @ 2001-07-02 17:00 UTC (permalink / raw) To: kernel; +Cc: linux-kernel, Enforcer On Mon, 2 Jul 2001 kernel@ddx.a2000.nu wrote: > Hi! > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I > currently run fow a few days is 2.2.19-7.0.8 > I run the pre-compiled kernel of RH. Suddenly I the following messages: > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line > 'BBXXXXXXXXXXXXXXXXXX%.176u%3 > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf > > <CUT> > > Jul 2 15:12:53 gateway SERVER[1152]: Dispatch_input: bad request line > 'BBTUVWXXXXXXXXXXXXXXXXXX%.20u%30 > 0$n%.166u%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf\211 > > This continued for about half an hour. Then it stopped. What's going on > here?? > > - I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists on your system, the xinetd is more robust). It may have a new entry on its last line providing a root shell to anybody. This looks somewhat like an attack shown by CERN about 6 to 12 months ago. Cheers, Dick Johnson Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips). I was going to compile a list of innovations that could be attributed to Microsoft. Once I realized that Ctrl-Alt-Del was handled in the BIOS, I found that there aren't any. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [OT] Re: Strange errors in /var/log/messages 2001-07-02 17:00 ` Richard B. Johnson @ 2001-07-02 18:23 ` Ville Herva 0 siblings, 0 replies; 8+ messages in thread From: Ville Herva @ 2001-07-02 18:23 UTC (permalink / raw) To: Richard B. Johnson; +Cc: kernel, linux-kernel, Enforcer On Mon, Jul 02, 2001 at 01:00:33PM -0400, you [Richard B. Johnson] claimed: > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3 > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > > I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists > on your system, the xinetd is more robust). It may have a new entry > on its last line providing a root shell to anybody. This looks somewhat > like an attack shown by CERN about 6 to 12 months ago. (This has nothing to do with linux-kernel, sorry...) I don't think anything particular in that message suggests he actually got rooted? It just seems that somebody tried to exploit lprNG hole (or something else) and the daemon logged that. Of course, it *is* perfectly possible, that he _got_ rooted (although he said he was running redhat-7.0 with all the updates). (The attacker may have tried other attacks so if he got rooted, those above are not necessarily the related log messages. In any case, a 'smart' intruder would have cleaned the log. Also, 'smart' attacker propably uses something more advanced as backdoor than /etc/inetd.conf these days.) Or is there something that actually indicates a succesfull intrusion in the log snippet that I'm missing? -- v -- v@iki.fi ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2001-07-03 7:46 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2001-07-02 16:05 Strange errors in /var/log/messages kernel 2001-07-02 16:11 ` Remco B. Brink 2001-07-02 16:16 ` Alan Cox 2001-07-02 17:42 ` Guest section DW 2001-07-02 19:51 ` kernel 2001-07-03 7:45 ` David Weinehall 2001-07-02 17:00 ` Richard B. Johnson 2001-07-02 18:23 ` [OT] " Ville Herva
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).