Hi!
I'm running RedHat 7.0 with all official RH patches applied. The kernel I
currently run fow a few days is 2.2.19-7.0.8
I run the pre-compiled kernel of RH. Suddenly I the following messages:
Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
'BBXXXXXXXXXXXXXXXXXX%.176u%3
00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf
<CUT>
Jul 2 15:12:53 gateway SERVER[1152]: Dispatch_input: bad request line
'BBTUVWXXXXXXXXXXXXXXXXXX%.20u%30
0$n%.166u%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
0\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf\211
This continued for about half an hour. Then it stopped. What's going on
here??
<[email protected]> writes:
> Hi!
>
> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:
<snip error messages>
> This continued for about half an hour. Then it stopped. What's going on
> here??
Here you have two options:
You are either under attack by someone who's trying to exploit your
LPRng (someone's trying to use LPR's logging function to get a shell).
This is the LPRng string format _syslog bug that theoretically could
allow root access. For more info check http://www.securityfocus.com/vdb/bottom.html?vid=1712
The other option is that you're under rpc.statd attack at the moment.
In either case, make sure you upgraded to the latest patch versions
and subscribe to BugTraq and the Security Focus Incidents mailinglist :)
regards,
Remco
--
Remco B. Brink - SOL B?rs A/S systemsdeveloper - http://www.norge-invest.no
Personal site at http://rc6.org - PGP/GnuPG key at http://rc6.org/rbb.pgp
"What you end up with, after running an operating system concept through
these many marketing coffee filters, is something not unlike plain hot
water."
(By Matt Welsh)
> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:
>
> Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
These are for an application. Not sure which or why
On Mon, 2 Jul 2001 [email protected] wrote:
> Hi!
>
> I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> currently run fow a few days is 2.2.19-7.0.8
> I run the pre-compiled kernel of RH. Suddenly I the following messages:
>
> Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf
>
> <CUT>
>
> Jul 2 15:12:53 gateway SERVER[1152]: Dispatch_input: bad request line
> 'BBTUVWXXXXXXXXXXXXXXXXXX%.20u%30
> 0$n%.166u%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> 0\220\220\220\220\220111F\200\2111f\2111\211C\211]C\211]K\211M\215M\2001\211ECf\211
>
> This continued for about half an hour. Then it stopped. What's going on
> here??
>
> -
I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists
on your system, the xinetd is more robust). It may have a new entry
on its last line providing a root shell to anybody. This looks somewhat
like an attack shown by CERN about 6 to 12 months ago.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).
I was going to compile a list of innovations that could be
attributed to Microsoft. Once I realized that Ctrl-Alt-Del
was handled in the BIOS, I found that there aren't any.
On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
> > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > currently run fow a few days is 2.2.19-7.0.8
> > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> >
> > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> These are for an application. Not sure which or why
See CERT Advisory CA-2000-22
http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
"A popular replacement software package to the BSD lpd printing service
called LPRng contains at least one software defect, known as a "format string
vulnerability," which may allow remote users to execute arbitrary code on
vulnerable systems."
On Mon, Jul 02, 2001 at 01:00:33PM -0400, you [Richard B. Johnson] claimed:
> > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
>
> I think you just got 'rooted'. Look at /etc/inetd.conf (if it exists
> on your system, the xinetd is more robust). It may have a new entry
> on its last line providing a root shell to anybody. This looks somewhat
> like an attack shown by CERN about 6 to 12 months ago.
(This has nothing to do with linux-kernel, sorry...)
I don't think anything particular in that message suggests he actually got
rooted? It just seems that somebody tried to exploit lprNG hole (or
something else) and the daemon logged that. Of course, it *is* perfectly
possible, that he _got_ rooted (although he said he was running redhat-7.0
with all the updates).
(The attacker may have tried other attacks so if he got rooted, those above
are not necessarily the related log messages. In any case, a 'smart' intruder
would have cleaned the log. Also, 'smart' attacker propably uses something
more advanced as backdoor than /etc/inetd.conf these days.)
Or is there something that actually indicates a succesfull intrusion in the
log snippet that I'm missing?
-- v --
[email protected]
On Mon, 2 Jul 2001, Guest section DW wrote:
> On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
>
> > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > > currently run fow a few days is 2.2.19-7.0.8
> > > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> > >
> > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
>
> > These are for an application. Not sure which or why
>
> See CERT Advisory CA-2000-22
> http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
>
> "A popular replacement software package to the BSD lpd printing service
> called LPRng contains at least one software defect, known as a "format string
> vulnerability," which may allow remote users to execute arbitrary code on
> vulnerable systems."
I just read the article. It seems somebody tried to exploid a bug in
LPRng. Unfortunately I didn't check the TCP/IP connections at the time of
attack (with netstat), so I couldn't tell who was connected to port 515.
The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23.
I assume I'm not vulnerable, but those 'errors' in the logfile really
scared the heck out of me! :) To be certain, I just blocked poort 515 for
outbound connections. :)
Bye the way, sorry this message was off-topic, but I didn't know it was a
LPRng issue, not a kernel issue.
Thanks!
On Mon, Jul 02, 2001 at 09:51:44PM +0200, [email protected] wrote:
> On Mon, 2 Jul 2001, Guest section DW wrote:
>
> > On Mon, Jul 02, 2001 at 05:16:23PM +0100, Alan Cox wrote:
> >
> > > > I'm running RedHat 7.0 with all official RH patches applied. The kernel I
> > > > currently run fow a few days is 2.2.19-7.0.8
> > > > I run the pre-compiled kernel of RH. Suddenly I the following messages:
> > > >
> > > > Jul 2 15:12:16 gateway SERVER[1240]: Dispatch_input: bad request line
> > > > 'BBXXXXXXXXXXXXXXXXXX%.176u%3
> > > > 00$nsecurity.%301$n%302$n%.192u%303$n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22
> >
> > > These are for an application. Not sure which or why
> >
> > See CERT Advisory CA-2000-22
> > http://www.infowar.com/iwftp/cert/advisories/CA-2000-22.html
> >
> > "A popular replacement software package to the BSD lpd printing service
> > called LPRng contains at least one software defect, known as a "format string
> > vulnerability," which may allow remote users to execute arbitrary code on
> > vulnerable systems."
>
> I just read the article. It seems somebody tried to exploid a bug in
> LPRng. Unfortunately I didn't check the TCP/IP connections at the time of
> attack (with netstat), so I couldn't tell who was connected to port 515.
> The article suggest upgrading to 3.6.25. I'm currenlty running 3.7.4-23.
> I assume I'm not vulnerable, but those 'errors' in the logfile really
> scared the heck out of me! :) To be certain, I just blocked poort 515 for
> outbound connections. :)
>
> Bye the way, sorry this message was off-topic, but I didn't know it was a
> LPRng issue, not a kernel issue.
A good idea is to block all ports, then open only those you know needs to
be open. Paranoia is good.
/David
_ _
// David Weinehall <[email protected]> /> Northern lights wander \\
// Project MCA Linux hacker // Dance across the winter sky //
\> http://www.acc.umu.se/~tao/ </ Full colour fire </