Security Incidents mailing list archives
Re: syslogd exploit? (fwd)
From: jeffl () WANET NET (Jeffrey F. Lawhorn)
Date: Wed, 22 Mar 2000 08:39:11 -0800
In message <Pine.GSO.3.96.1000320222706.15887A-100000 () slip-3 slip net>, Bill Ca ssady said:
---------- Forwarded message ---------- From: Elias Levy <aleph1 () SECURITYFOCUS COM> Date: Mon, 20 Mar 2000 20:56:24 -0800 Subject: Bounced: syslogd exploit? This message is more appropiate for the incidents mailing list at incidents () securityfocus com. Return-Path: <owner-bugtraq () securityfocus com> Delivered-To: bugtraq () lists securityfocus com v 0.1.3. This is log of incident where entire partition containing home directory was wiped. A couple weeks prior to this incident, syslogd crashed, ps showed it running but it was not really logging. After killing and restarting it resumed normal behavior. Why was amd trying to remount something? what? A knowledgeable friend suggested that entry could have been made through syslogd. But we'll never know, right?
Nope, the logs show where the entry was...
-Bill Cassady --------------F1AD4209347C117453FFE573 Content-Type: text/plain; charset=iso-8859-1; name="crash" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; filename="crash" Mar 16 09:32:24 osiris pppd[433]: Serial connection established. Mar 16 09:32:25 osiris pppd[433]: Using interface ppp0 Mar 16 09:32:25 osiris pppd[433]: Connect: ppp0 <--> /dev/modem Mar 16 09:32:28 osiris pppd[433]: local IP address 216.7.176.224 Mar 16 09:32:28 osiris pppd[433]: remote IP address 205.134.234.50 Mar 16 09:32:58 osiris pppd[433]: IPXCP: timeout sending Config-Requests Mar 16 17:13:48 osiris = Mar 16 17:13:49 osiris syslogd: Cannot glue message parts together Mar 16 17:13:49 osiris 30>Mar 16 17:13:48 amd[136]: amq requested mount o= f ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P= ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^= P^P^P^P^P^P^P^P^P^P^P^P^P Mar 16 17:13:49 osiris p/h;/usr/sbin/inetd /tmp/h &#^PRr^??Rr^??Rr^??Rr^?= ?Rr^??
At this point your system was broken into via what looks like a linux amd buffer overflow. At this point you probably had an extra copy of /usr/sbin/inetd running, answering with a root shell on port 2222.
Mar 16 19:57:05 osiris PAM_pwdb[204]: (login) session opened for user bil= l by (uid=3D0) = Mar 16 20:02:29 osiris pppd[433]: Terminating on signal 2. Mar 16 20:02:31 osiris pppd[433]: Terminating on signal 2. Mar 16 20:02:31 osiris pppd[433]: Connection terminated. Mar 16 20:02:31 osiris pppd[433]: Exit. --------------F1AD4209347C117453FFE573-- ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/
<HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- what are these? Dirk Koopman (Mar 16)
- Re: what are these? Peter Bates (Mar 17)
- syslogd exploit? (fwd) Bill Cassady (Mar 20)
- Re: syslogd exploit? (fwd) Erich Meier (Mar 22)
- Re: syslogd exploit? (fwd) Pavel Kankovsky (Mar 22)
- Re: syslogd exploit? (fwd) Jeffrey F. Lawhorn (Mar 22)
- Re: what are these? Imran Ghory (Mar 21)
- <Possible follow-ups>
- Re: what are these? Fernando Cardoso (Mar 17)
- Re: what are these? Chris Adams (Mar 20)