Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: syslogd exploit? (fwd)

From: jeffl () WANET NET (Jeffrey F. Lawhorn)
Date: Wed, 22 Mar 2000 08:39:11 -0800

In message <Pine.GSO.3.96.1000320222706.15887A-100000 () slip-3 slip net>, Bill Ca
ssady said:

---------- Forwarded message ----------
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Mon, 20 Mar 2000 20:56:24 -0800
Subject: Bounced: syslogd exploit?

This message is more appropiate for the incidents mailing list at
incidents () securityfocus com.

Return-Path: <owner-bugtraq () securityfocus com>
Delivered-To: bugtraq () lists securityfocus com

v 0.1.3.

This is log of incident where entire partition containing home directory
was wiped.

A couple weeks prior to this incident, syslogd crashed, ps showed it
running but it was not really logging.
After killing and restarting it resumed normal behavior.

Why was amd trying to remount something? what?

A knowledgeable friend suggested that entry could have been made through
syslogd.

But we'll never know, right?


Nope, the logs show where the entry was...


-Bill Cassady

--------------F1AD4209347C117453FFE573
Content-Type: text/plain; charset=iso-8859-1; name="crash"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; filename="crash"

Mar 16 09:32:24 osiris pppd[433]: Serial connection established.
Mar 16 09:32:25 osiris pppd[433]: Using interface ppp0
Mar 16 09:32:25 osiris pppd[433]: Connect: ppp0 <--> /dev/modem
Mar 16 09:32:28 osiris pppd[433]: local  IP address 216.7.176.224
Mar 16 09:32:28 osiris pppd[433]: remote IP address 205.134.234.50
Mar 16 09:32:58 osiris pppd[433]: IPXCP: timeout sending Config-Requests
Mar 16 17:13:48 osiris =

Mar 16 17:13:49 osiris syslogd: Cannot glue message parts together
Mar 16 17:13:49 osiris 30>Mar 16 17:13:48 amd[136]: amq requested mount o=
f ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P
Mar 16 17:13:49 osiris p/h;/usr/sbin/inetd /tmp/h &#^PRr^??Rr^??Rr^??Rr^?=
?Rr^??


At this point your system was broken into via what looks like a linux amd
buffer overflow.  At this point you probably had an extra copy of
/usr/sbin/inetd running, answering with a root shell on port 2222.


Mar 16 19:57:05 osiris PAM_pwdb[204]: (login) session opened for user bil=
l by (uid=3D0) =

Mar 16 20:02:29 osiris pppd[433]: Terminating on signal 2.
Mar 16 20:02:31 osiris pppd[433]: Terminating on signal 2.
Mar 16 20:02:31 osiris pppd[433]: Connection terminated.
Mar 16 20:02:31 osiris pppd[433]: Exit.

--------------F1AD4209347C117453FFE573--


----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/



<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: