Security Incidents mailing list archives

Re: solaris hack info required

From: Devdas Bhagat <devdas () worldgatein net>
Date: Fri, 29 Jun 2001 22:22:47 +0530

On Fri, 29 Jun 2001, Mark Hollow spewed into the ether:

Any help you can give me would be appreciated.

I've a Sun Netra X1 (Solaris 8) with a /var/adm/messages file full of these
messages at frequent but irregular intervals (approx every 5-10 seconds for
several hours).

Jun 24 03:43:02 jim bsd-gw[13276]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBXXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%30
3$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh

Looks like the red worm. dunno what you would see, but you shouldn't
have to worry unless you are running lpr on am machine exposed to the
net. Otherwise, look for an open listening port, modified files......
the usual suspects.

Devdas Bhagat


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com

Current thread:

solaris hack info required Mark Hollow (Jun 29)
- RE: solaris hack info required Mike Batchelor (Jun 30)
- Re: solaris hack info required Devdas Bhagat (Jun 30)
- <Possible follow-ups>
- RE: solaris hack info required Ivy Lane (Jun 30)