I _just_ saw the red hat security update for sysklogd and guess what? part of it reads
thusly:
"klogd contains instances of the:
syslog( LOG_INFO, buffer );
vulnerability that has been recently been discussed on Bugtraq and similar
mailing lists; by supplying some string that contains '%' escapes, it is
possible to have those escapes interpreted, which can lead to the ability
to gain root access."
Notice all the %'s in that log entry. Script Kiddies! That's freaky, to think that
people move that fast. I was going to get around to removing rpc "as soon as I could"
- guess I should have move faster then that :(
Well, now I guess I need to find out if they got in anyway. Off to work I go.....
JW
At 02:16 PM 9/25/2000 +1100, you wrote:
>You must be mad to run rpc.statd on a box on the internet. I'd ipchains it or remove
>it if you don't use it. Once they get in via rpc.statd, they then remove the
>offending entries from the log files. So either they didn't get in, or their log
>cleaner didn't clean up properly.
>
>Tom
>
>On Sun, Sep 24, 2000 at 10:14:51PM -0500, Jonathan Wilson wrote:
>> Howdy,
>> I was just checking my logs, and as it so happens log rotate had just rotated them
>so I looked back at the last one (/var/log/messages)and noticed something
>interesting(note this is a _very_ low traffic server, and no one should be on it at
>12:00 saturday night/sunday morning):
>>
>> Sep 24 00:01:47 csc003 rpc.statd[387]: gethostbyname error for
>^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n^A°fÍ€³^D°fÍ€³^E0ÀA^D°fÍ€‰ÎÃ1É°?Í
>>
>>
>> Sep 24 @ 00:01:47 is, like, midnight last night right?
>>
>> Any ideas if that's a crack attempt, or is it simply some weird bud-report? Never
>seen such garble-dee-gook in a log file. All the other log files look 100% ok, even
>/var/log/secure. Do you think someone was just looking for a RPC vulnerability?
>>
>> JW
>>
>>
>>
>> _______________________________________________
>> Redhat-list mailing list
>> [EMAIL PROTECTED]
>> https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
