Security Incidents mailing list archives
Re: syslogd exploit? (fwd)
From: Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)
Date: Wed, 22 Mar 2000 09:54:06 +0100
On Mon, Mar 20, 2000 at 10:29:38PM -0800, Bill Cassady wrote:
---------- Forwarded message ---------- From: Elias Levy <aleph1 () SECURITYFOCUS COM> Date: Mon, 20 Mar 2000 20:56:24 -0800 Subject: Bounced: syslogd exploit? This message is more appropiate for the incidents mailing list at incidents () securityfocus com. Return-Path: <owner-bugtraq () securityfocus com> Delivered-To: bugtraq () lists securityfocus com v 0.1.3. This is log of incident where entire partition containing home directory was wiped. A couple weeks prior to this incident, syslogd crashed, ps showed it running but it was not really logging. After killing and restarting it resumed normal behavior. Why was amd trying to remount something? what? A knowledgeable friend suggested that entry could have been made through syslogd. But we'll never know, right?
This looks to me as a more or less successfull amd exploit. Especially the line with "inetd" looks suspicious. If this is a linux box, you were probably running version "am-utils version 6.0 (build 6)" or less, which is vulnerable to a syslog (not syslogd!) overflow attack. I'd say your box was hacked. Erich
--------------F1AD4209347C117453FFE573 Content-Type: text/plain; charset=iso-8859-1; name="crash" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; filename="crash" Mar 16 09:32:24 osiris pppd[433]: Serial connection established. Mar 16 09:32:25 osiris pppd[433]: Using interface ppp0 Mar 16 09:32:25 osiris pppd[433]: Connect: ppp0 <--> /dev/modem Mar 16 09:32:28 osiris pppd[433]: local IP address 216.7.176.224 Mar 16 09:32:28 osiris pppd[433]: remote IP address 205.134.234.50 Mar 16 09:32:58 osiris pppd[433]: IPXCP: timeout sending Config-Requests Mar 16 17:13:48 osiris = Mar 16 17:13:49 osiris syslogd: Cannot glue message parts together Mar 16 17:13:49 osiris 30>Mar 16 17:13:48 amd[136]: amq requested mount o= f ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P Mar 16 17:13:49 osiris p/h;/usr/sbin/inetd /tmp/h &#^PRr^??Rr^??Rr^??Rr^?= ?Rr^?? Mar 16 19:57:05 osiris PAM_pwdb[204]: (login) session opened for user bil= l by (uid=3D0) = Mar 16 20:02:29 osiris pppd[433]: Terminating on signal 2. Mar 16 20:02:31 osiris pppd[433]: Terminating on signal 2. Mar 16 20:02:31 osiris pppd[433]: Connection terminated. Mar 16 20:02:31 osiris pppd[433]: Exit. --------------F1AD4209347C117453FFE573-- ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
-- Erich Meier Erich.Meier () informatik uni-erlangen de http://www4.informatik.uni-erlangen.de/~meier/ Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."
Current thread:
- what are these? Dirk Koopman (Mar 16)
- Re: what are these? Peter Bates (Mar 17)
- syslogd exploit? (fwd) Bill Cassady (Mar 20)
- Re: syslogd exploit? (fwd) Erich Meier (Mar 22)
- Re: syslogd exploit? (fwd) Pavel Kankovsky (Mar 22)
- Re: syslogd exploit? (fwd) Jeffrey F. Lawhorn (Mar 22)
- Re: what are these? Imran Ghory (Mar 21)
- <Possible follow-ups>
- Re: what are these? Fernando Cardoso (Mar 17)
- Re: what are these? Chris Adams (Mar 20)