I had 2 different server lock ups in the last week. In a reply to a email on another list someone suggested that this is a "syslog hack exploit".
I see nothing in the debian.org pages about this and we do have the lastest version of sysklogd (1.3-31). Has anyone heard about this problem? Is there a fix for it? Please see the email below about details. Thanks, Ken Rea ---------- Forwarded message ---------- Date: Tue, 20 Apr 1999 14:45:34 -0400 From: Matthew Prentice <[EMAIL PROTECTED]> Reply-To: Linux Servers mailing list <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Unknown Server Lockup Ken, It's a syslog hack exploit. Make sure you have the most up-to-date (k)syslog. You might be able to rescue your system if you have a session as root (either on the console, or telnet and then su to root). You won't be able to login after the exploit has been attempted. If you already have the root session established then you should be able to stop and restart the klog and syslog processes and everything should be okay (except you still have a vulnerable system). I think there are some versions of syslog that claim to fix the exploit but still lock up. I upgraded a system of ours to a package that claimed to fix the problem but the machine still locked up. After I upgraded to the next revision everything is fine. I see some attempts in the logs but the system keeps churning along without a hitch. Matthew R. Prentice [EMAIL PROTECTED] Director of Information Systems 703-522-6500 WestLake Internet Training www.westlake.com On Tue, 20 Apr 1999, Ken Rea wrote: > One of our servers has taken to locking up twice in the last week. The > machine is a Pentium class machine that runs a Debian distribution with a > 2.0.36 kernel. It has been running fine since last July with out any > problems. > > The only thing the logs show is a bunch of "[EMAIL PROTECTED]@[EMAIL > PROTECTED]@[EMAIL PROTECTED]@^" in the syslog > file and thats it! With a monitor on the server I see nothing, just a > blank screen. The only thing that can be done is to re-start the machine. > > Anyone run into this before? I don't have a clue on what to look at. > > Thanks, > > Ken Rea > [EMAIL PROTECTED]
