> Javier Castillo Alcibar wrote:
> I have a box running solaris 7, and I see these messages with dmesg command:
>
> Apr 11 02:32:19 isp4 bsd-gw[6229]: Invalid protocol request (66):
>BBBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XXXXXXXXXXXXXXXXXX%.156u%300$n%.2
>
>1u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍå1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî'MðEìEøÆEüÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^u1ÀFE°óMU
> Íèãÿÿÿ/bin/sh
>
> I think someone is trying to hacking me.......What's your opinion. ...
I believe (from having seen some of these printed on paper by printers)
that this is an attempt to exploit the RedHat 7 'LPRng' (BSD line printer
daemon, Next Generation version) via a "format string" bug (a relatively
new category of vulnerabiltiy related to buffer overflows) in the
use_syslog() function.
See: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17756 and
http://darknet.hack.gr/exploits/daemon/lpd/seclpd.c
- H. Morrow Long
> ..... If so, how can I see the IP where they are trying to
> hacking me from??
>
> Javier.
1. 'netstat -na' if you can do it in real time...
2. Since this this a firewalls mailing list I would be remiss (as well as completely
off-topic ... ) if I didn't mention that you should do either of the following to
BOTH block Internet access to lpd (TCP port 515) as well as log who is trying to
access it from the Internet :
- configure the 'included' software-based 'firewall', e.g. :
* in RedHat 7 (ipchains)
* or the just-released-today RedHat 7.1 w/Linux 2.4 kernel
(the new "stateful" iptables).
- install either a dedicated hardware firewall or a router with firewall functionality
enabled and configured.
- H. Morrow Long
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
