Re: Got hacked by Ramen-style attack
Thomas Amm [EMAIL PROTECTED] wrote: | that's what I found in my logs after I had to reboot my | Router, which also worked as print server (Now I know better) | because of a DoS. Exactly the same messages here (in /var/log/sys.log and /var/log/messages). See my earlier posting: To: [EMAIL PROTECTED] Subject: LPRNG vulnerability [was Re: weird messages in syslog] From: Jim McCloskey [EMAIL PROTECTED] Date: Wed, 21 Nov 2001 10:29:16 -0800 CC: [EMAIL PROTECTED] References: E166Lt0-00063w-00@localhost I am using lprng 3.8.0 from Debian testing. I am not running nmbd. There are no messages in the logs about accepted or refused connections that seem to be related to the incident. | So there are some questions, I would like to pose : | Is Woody's lprng still vulnerable ? I've got the latest version. I think it must be. | Is the shown exploit a sign that someone already was in there, or just for | an | attempt | ? | Can I find possible backdoors, or will I have to re-install ? I also would love answers to these questions. I've not managed to find any signs of damage so far, and the incident didn't bring the system down, but I'm very nervous ... Jim PS here are the relevant messages: -- Nov 20 01:18:12 localhost SERVER[21311]: Dispatch_input: bad request line 'BB??\ ??XX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%303$n\220\220\220\2\ 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ . 2201?1?1??F?\200\211?1??f\211?1?\211?C\211]?C\211]?K\211M?\215M??\2001?\211 Nov 20 01:18:13 localhost SERVER[21312]: Dispatch_input: bad request line 'BB(???)???*?\ ??+???XX%.232u%300$n%.199u%301$nsecurity.i%302$n%.192u%303$n\220\220\22\ 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2\ 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ repeated then at one second intervals between 01:18:12 and 01:18:47---the same message followed by the same long sequence of garbage-characters, with a new PID each time. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Got hacked by Ramen-style attack
Thomas Amm [EMAIL PROTECTED] wrote: | that's what I found in my logs after I had to reboot my | Router, which also worked as print server (Now I know better) | because of a DoS. Exactly the same messages here (in /var/log/sys.log and /var/log/messages). See my earlier posting: To: debian-user@lists.debian.org Subject: LPRNG vulnerability [was Re: weird messages in syslog] From: Jim McCloskey [EMAIL PROTECTED] Date: Wed, 21 Nov 2001 10:29:16 -0800 CC: debian-security@lists.debian.org References: [EMAIL PROTECTED] I am using lprng 3.8.0 from Debian testing. I am not running nmbd. There are no messages in the logs about accepted or refused connections that seem to be related to the incident. | So there are some questions, I would like to pose : | Is Woody's lprng still vulnerable ? I've got the latest version. I think it must be. | Is the shown exploit a sign that someone already was in there, or just for | an | attempt | ? | Can I find possible backdoors, or will I have to re-install ? I also would love answers to these questions. I've not managed to find any signs of damage so far, and the incident didn't bring the system down, but I'm very nervous ... Jim PS here are the relevant messages: -- Nov 20 01:18:12 localhost SERVER[21311]: Dispatch_input: bad request line 'BB??\ ??XX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%303$n\220\220\220\2\ 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ . 2201?1?1??F?\200\211?1??f\211?1?\211?C\211]?C\211]?K\211M?\215M??\2001?\211 Nov 20 01:18:13 localhost SERVER[21312]: Dispatch_input: bad request line 'BB(???)???*?\ ??+???XX%.232u%300$n%.199u%301$nsecurity.i%302$n%.192u%303$n\220\220\22\ 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2\ 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ repeated then at one second intervals between 01:18:12 and 01:18:47---the same message followed by the same long sequence of garbage-characters, with a new PID each time. --
LPRNG vulnerability [was Re: weird messages in syslog]
SaDIKuZboy [EMAIL PROTECTED] | it could be something as a backdoor or an arbitrary service ... try | to : cron -l it shows u a table with binary called to be run, | report it and let's see what's there :o) Thanks for your help. Maybe you meant crontab -l? But I'm pretty certain in any case that the garbage in my syslog file does not reflect the activity of any cron-job. There's nothing remotely resembling it anywhere else in the logs. I've been through /etc/cron.daily weekly and monthly, and there is nothing in those scripts, as far as I can tell, that would produce the kind of output I have. Kelley, Tim (CBS-New Orleans) [EMAIL PROTECTED] wrote: | looks like a buffer overflow attempt to me ... look at your | security I'm sure it is. There is a buffer-overflow advisory against lprng. Local and remote users can send string-formatting operators to the printer daemon to corrupt the daemon's execution, potentially gaining root access. The messages in my syslog are close to identical to those reported at: http://ciac.llnl.gov/ciac/bulletins/l-025.shtml But the warnings I have seen all refer to versions prior to 3.6.26, and they all report the problem as fixed in versions since then. I have the version from debian testing which is 3.8.0 (it's the same in unstable). I've not had to deal with such an exploit before, so I would really appreciate any advice that's going. I've stopped the lprng daemon for now, until I can tighten things up. Thank you in advance, Jim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LPRNG vulnerability [was Re: weird messages in syslog]
SaDIKuZboy [EMAIL PROTECTED] | it could be something as a backdoor or an arbitrary service ... try | to : cron -l it shows u a table with binary called to be run, | report it and let's see what's there :o) Thanks for your help. Maybe you meant crontab -l? But I'm pretty certain in any case that the garbage in my syslog file does not reflect the activity of any cron-job. There's nothing remotely resembling it anywhere else in the logs. I've been through /etc/cron.daily weekly and monthly, and there is nothing in those scripts, as far as I can tell, that would produce the kind of output I have. Kelley, Tim (CBS-New Orleans) [EMAIL PROTECTED] wrote: | looks like a buffer overflow attempt to me ... look at your | security I'm sure it is. There is a buffer-overflow advisory against lprng. Local and remote users can send string-formatting operators to the printer daemon to corrupt the daemon's execution, potentially gaining root access. The messages in my syslog are close to identical to those reported at: http://ciac.llnl.gov/ciac/bulletins/l-025.shtml But the warnings I have seen all refer to versions prior to 3.6.26, and they all report the problem as fixed in versions since then. I have the version from debian testing which is 3.8.0 (it's the same in unstable). I've not had to deal with such an exploit before, so I would really appreciate any advice that's going. I've stopped the lprng daemon for now, until I can tighten things up. Thank you in advance, Jim
