[OT] Re: Strange errors in /var/log/messages

Ville Herva (vherva@mail.niksula.cs.hut.fi)
Mon, 2 Jul 2001 21:23:16 +0300

On Mon, Jul 02, 2001 at 01:00:33PM -0400, you [Richard B. Johnson] claimed:
> > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
>
> I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists
> on your system, the xinetd is more robust). It may have a new entry
> on its last line providing a root shell to anybody. This looks somewhat
> like an attack shown by CERN about 6 to 12 months ago.

(This has nothing to do with linux-kernel, sorry...)

I don't think anything particular in that message suggests he actually got
rooted? It just seems that somebody tried to exploit lprNG hole (or
something else) and the daemon logged that. Of course, it *is* perfectly
possible, that he _got_ rooted (although he said he was running redhat-7.0
with all the updates).

(The attacker may have tried other attacks so if he got rooted, those above
are not necessarily the related log messages. In any case, a 'smart' intruder
would have cleaned the log. Also, 'smart' attacker propably uses something
more advanced as backdoor than /etc/inetd.conf these days.)

Or is there something that actually indicates a succesfull intrusion in the
log snippet that I'm missing?

-- v --

v@iki.fi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/