Strange errors in /var/log/messages

Strange errors in /var/log/messages

[kernel]

Hi!

I'm running RedHat 7.0 with all official RH patches applied. The kernel I
currently run fow a few days is 2.2.19-7.0.8
I run the pre-compiled kernel of RH. Suddenly I the following messages:

Jul  2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
'BBXXXXXXXXXXXXXXXXXX%.176u%3
00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf

<CUT>

Jul  2 15:12:53 gateway SERVER[1152]: Dispatch_input: bad request line
'BBTUVWXXXXXXXXXXXXXXXXXX%.20u%30
0$n%.166u%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf\211

This continued for about half an hour. Then it stopped. What's going on
here??

Re: Strange errors in /var/log/messages

[Remco B. Brink]

<kernel@ddx.a2000.nu> writes:

> Hi!
> 
> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:

<snip error messages>

> This continued for about half an hour. Then it stopped. What's going on
> here??

Here you have two options:

You are either under attack by someone who's trying to exploit your
LPRng (someone's trying to use LPR's logging function to get a shell).
This is the LPRng string format _syslog bug that theoretically could
allow root access. For more info check http://www.securityfocus.com/vdb/bottom.html?vid=1712

The other option is that you're under rpc.statd attack at the moment.

In either case, make sure you upgraded to the latest patch versions
and subscribe to BugTraq and the Security Focus Incidents mailinglist :)

regards,
Remco

-- 
Remco B. Brink - SOL Børs A/S systemsdeveloper - http://www.norge-invest.no
Personal site at http://rc6.org  -  PGP/GnuPG key at http://rc6.org/rbb.pgp

"What you end up with, after running an operating system concept through
these many marketing coffee filters, is something not unlike plain hot
water."
(By Matt Welsh)

Re: Strange errors in /var/log/messages

[Alan Cox]

> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:
> 
> Jul  2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22

These are for an application.  Not sure which or why 

Re: Strange errors in /var/log/messages

[Richard B. Johnson]

On Mon, 2 Jul 2001 kernel@ddx.a2000.nu wrote:

> Hi!
> 
> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:
> 
> Jul  2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf
> 
> <CUT>
> 
> Jul  2 15:12:53 gateway SERVER[1152]: Dispatch_input: bad request line
> 'BBTUVWXXXXXXXXXXXXXXXXXX%.20u%30
> 0$n%.166u%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf\211
> 
> This continued for about half an hour. Then it stopped. What's going on
> here??
> 
> -

I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists
on your system, the xinetd is more robust). It may have a new entry
on its last line providing a root shell to anybody. This looks somewhat
like an attack shown by CERN about 6 to 12 months ago.


Cheers,
Dick Johnson

Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).

    I was going to compile a list of innovations that could be
    attributed to Microsoft. Once I realized that Ctrl-Alt-Del
    was handled in the BIOS, I found that there aren't any.

Re: Strange errors in /var/log/messages

[Guest section DW]

On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:

> > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > currently run fow a few days is 2.2.19-7.0.8
> > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> > 
> > Jul  2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22

> These are for an application.  Not sure which or why 

See CERT Advisory CA-2000-22
	http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html

  "A popular replacement software package to the BSD lpd printing service
   called LPRng contains at least one software defect, known as a "format string
   vulnerability," which may allow remote users to execute arbitrary code on
   vulnerable systems."

[OT] Re: Strange errors in /var/log/messages

[Ville Herva]

On Mon, Jul 02, 2001 at 01:00:33PM -0400, you [Richard B. Johnson] claimed:
> > Jul  2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 
> I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists
> on your system, the xinetd is more robust). It may have a new entry
> on its last line providing a root shell to anybody. This looks somewhat
> like an attack shown by CERN about 6 to 12 months ago.

(This has nothing to do with linux-kernel, sorry...)

I don't think anything particular in that message suggests he actually got
rooted? It just seems that somebody tried to exploit lprNG hole (or
something else) and the daemon logged that. Of course, it *is* perfectly
possible, that he _got_ rooted (although he said he was running redhat-7.0
with all the updates). 

(The attacker may have tried other attacks so if he got rooted, those above
are not necessarily the related log messages. In any case, a 'smart' intruder
would have cleaned the log. Also, 'smart' attacker propably uses something
more advanced as backdoor than /etc/inetd.conf these days.)

Or is there something that actually indicates a succesfull intrusion in the
log snippet that I'm missing?


-- v --

v@iki.fi

Re: Strange errors in /var/log/messages

[kernel]

On Mon, 2 Jul 2001, Guest section DW wrote:

> On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
>
> > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > > currently run fow a few days is 2.2.19-7.0.8
> > > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> > >
> > > Jul  2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
>
> > These are for an application.  Not sure which or why
>
> See CERT Advisory CA-2000-22
> 	http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
>
>   "A popular replacement software package to the BSD lpd printing service
>    called LPRng contains at least one software defect, known as a "format string
>    vulnerability," which may allow remote users to execute arbitrary code on
>    vulnerable systems."

I just read the article. It seems somebody tried to exploid a bug in
LPRng. Unfortunately I didn't check the TCP/IP connections at the time of
attack (with netstat), so I couldn't tell who was connected to port 515.
The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23.
I assume I'm not vulnerable, but those 'errors' in the logfile really
scared the heck out of me! :) To be certain, I just blocked poort 515 for
outbound connections. :)

Bye the way, sorry this message was off-topic, but I didn't know it was a
LPRng issue, not a kernel issue.

Thanks!

Re: Strange errors in /var/log/messages

[David Weinehall]

On Mon, Jul 02, 2001 at 09:51:44PM +0200, kernel@ddx.a2000.nu wrote:
> On Mon, 2 Jul 2001, Guest section DW wrote:
> 
> > On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
> >
> > > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > > > currently run fow a few days is 2.2.19-7.0.8
> > > > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> > > >
> > > > Jul  2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> >
> > > These are for an application.  Not sure which or why
> >
> > See CERT Advisory CA-2000-22
> > 	http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
> >
> >   "A popular replacement software package to the BSD lpd printing service
> >    called LPRng contains at least one software defect, known as a "format string
> >    vulnerability," which may allow remote users to execute arbitrary code on
> >    vulnerable systems."
> 
> I just read the article. It seems somebody tried to exploid a bug in
> LPRng. Unfortunately I didn't check the TCP/IP connections at the time of
> attack (with netstat), so I couldn't tell who was connected to port 515.
> The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23.
> I assume I'm not vulnerable, but those 'errors' in the logfile really
> scared the heck out of me! :) To be certain, I just blocked poort 515 for
> outbound connections. :)
> 
> Bye the way, sorry this message was off-topic, but I didn't know it was a
> LPRng issue, not a kernel issue.

A good idea is to block all ports, then open only those you know needs to
be open. Paranoia is good.


/David
  _                                                                 _
 // David Weinehall <tao@acc.umu.se> /> Northern lights wander      \\
//  Project MCA Linux hacker        //  Dance across the winter sky //
\>  http://www.acc.umu.se/~tao/    </   Full colour fire           </