Re: Strange errors in /var/log/messages

David Weinehall (tao@acc.umu.se)
Tue, 3 Jul 2001 09:45:34 +0200


On Mon, Jul 02, 2001 at 09:51:44PM +0200, kernel@ddx.a2000.nu wrote:
> On Mon, 2 Jul 2001, Guest section DW wrote:
>
> > On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
> >
> > > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > > > currently run fow a few days is 2.2.19-7.0.8
> > > > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> > > >
> > > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> >
> > > These are for an application. Not sure which or why
> >
> > See CERT Advisory CA-2000-22
> > http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
> >
> > "A popular replacement software package to the BSD lpd printing service
> > called LPRng contains at least one software defect, known as a "format string
> > vulnerability," which may allow remote users to execute arbitrary code on
> > vulnerable systems."
>
> I just read the article. It seems somebody tried to exploid a bug in
> LPRng. Unfortunately I didn't check the TCP/IP connections at the time of
> attack (with netstat), so I couldn't tell who was connected to port 515.
> The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23.
> I assume I'm not vulnerable, but those 'errors' in the logfile really
> scared the heck out of me! :) To be certain, I just blocked poort 515 for
> outbound connections. :)
>
> Bye the way, sorry this message was off-topic, but I didn't know it was a
> LPRng issue, not a kernel issue.

A good idea is to block all ports, then open only those you know needs to
be open. Paranoia is good.

/David
_ _
// David Weinehall <tao@acc.umu.se> /> Northern lights wander \\
// Project MCA Linux hacker // Dance across the winter sky //
\> http://www.acc.umu.se/~tao/ </ Full colour fire </
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/