Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: syslogd exploit? (fwd)

From: Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)
Date: Wed, 22 Mar 2000 09:54:06 +0100

On Mon, Mar 20, 2000 at 10:29:38PM -0800, Bill Cassady wrote:

---------- Forwarded message ----------
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Mon, 20 Mar 2000 20:56:24 -0800
Subject: Bounced: syslogd exploit?

This message is more appropiate for the incidents mailing list at
incidents () securityfocus com.

Return-Path: <owner-bugtraq () securityfocus com>
Delivered-To: bugtraq () lists securityfocus com

v 0.1.3.

This is log of incident where entire partition containing home directory
was wiped.

A couple weeks prior to this incident, syslogd crashed, ps showed it
running but it was not really logging.
After killing and restarting it resumed normal behavior.

Why was amd trying to remount something? what?

A knowledgeable friend suggested that entry could have been made through
syslogd.

But we'll never know, right?


This looks to me as a more or less successfull amd exploit. Especially the
line with "inetd" looks suspicious.

If this is a linux box, you were probably running version "am-utils version 6.0
(build 6)" or less, which is vulnerable to a syslog (not syslogd!) overflow
attack.

I'd say your box was hacked.

Erich


--------------F1AD4209347C117453FFE573
Content-Type: text/plain; charset=iso-8859-1; name="crash"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; filename="crash"

Mar 16 09:32:24 osiris pppd[433]: Serial connection established.
Mar 16 09:32:25 osiris pppd[433]: Using interface ppp0
Mar 16 09:32:25 osiris pppd[433]: Connect: ppp0 <--> /dev/modem
Mar 16 09:32:28 osiris pppd[433]: local  IP address 216.7.176.224
Mar 16 09:32:28 osiris pppd[433]: remote IP address 205.134.234.50
Mar 16 09:32:58 osiris pppd[433]: IPXCP: timeout sending Config-Requests
Mar 16 17:13:48 osiris =

Mar 16 17:13:49 osiris syslogd: Cannot glue message parts together
Mar 16 17:13:49 osiris 30>Mar 16 17:13:48 amd[136]: amq requested mount o=
f ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P
Mar 16 17:13:49 osiris p/h;/usr/sbin/inetd /tmp/h &#^PRr^??Rr^??Rr^??Rr^?=
?Rr^??
Mar 16 19:57:05 osiris PAM_pwdb[204]: (login) session opened for user bil=
l by (uid=3D0) =

Mar 16 20:02:29 osiris pppd[433]: Terminating on signal 2.
Mar 16 20:02:31 osiris pppd[433]: Terminating on signal 2.
Mar 16 20:02:31 osiris pppd[433]: Connection terminated.
Mar 16 20:02:31 osiris pppd[433]: Exit.

--------------F1AD4209347C117453FFE573--


----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/


--
Erich Meier                              Erich.Meier () informatik uni-erlangen de
                                 http://www4.informatik.uni-erlangen.de/~meier/
 Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."
Previous By Date Next
Previous By Thread Next

Current thread: