Re: strange log entry

On Fri, May 25, 2001 at 01:55:35AM -0700, Jacob Meuser wrote: > > > Well, you /could/ just check their sources. They're on the web you > know. http://www.openbsd.org/cgi-bin/cvsweb/ They're published > in public, what more do you really want? It's pretty easy to find > out when and who made ch

Re: strange log entry

On Fri, May 25, 2001 at 01:55:35AM -0700, Jacob Meuser wrote: > > > Well, you /could/ just check their sources. They're on the web you > know. http://www.openbsd.org/cgi-bin/cvsweb/ They're published > in public, what more do you really want? It's pretty easy to find > out when and who made c

Re: strange log entry

On Thu, May 24, 2001 at 05:30:14AM -0800, Ethan Benson wrote: > On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: > > On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: > > > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > > > > > > > BS, when was the last

Re: strange log entry

On Thu, May 24, 2001 at 05:30:14AM -0800, Ethan Benson wrote: > On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: > > On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: > > > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > > > > > > > BS, when was the las

Re: strange log entry

On Thu, May 24, 2001 at 12:09:55PM -0400, Ed Street wrote: > Hello, > > that's simple ;) If they was stable/non-exploitable then we'd be using rpc > inplace of ssh ;) Wha??? There's a difference between exploitable and sniffable. RPC doesn't use encryption, except for something Sun cooked up

Re: strange log entry

On Thu, May 24, 2001 at 12:09:55PM -0400, Ed Street wrote: > Hello, > > that's simple ;) If they was stable/non-exploitable then we'd be using rpc > inplace of ssh ;) Wha??? There's a difference between exploitable and sniffable. RPC doesn't use encryption, except for something Sun cooked up

Re: strange log entry

On Thu, May 24, 2001 at 07:33:44AM +, Jim Breton wrote: > On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: > > the last two i understand, as well as domain, but sunrpc and 1171? > > man fuser. Look for the "-n" option. ... or look for -p option of netstat :) Mirek

Re: strange log entry

On Thu, May 24, 2001 at 07:33:44AM +, Jim Breton wrote: > On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: > > the last two i understand, as well as domain, but sunrpc and 1171? > > man fuser. Look for the "-n" option. ... or look for -p option of netstat :) Mirek -- To UN

RE: strange log entry

Hello, that's simple ;) If they was stable/non-exploitable then we'd be using rpc inplace of ssh ;) Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 8:41 AM To: debian-security@lists.debian.org Subject: Re: strange log entry O

RE: strange log entry

PROTECTED] Sent: Thursday, May 24, 2001 4:34 AM To: debian-security@lists.debian.org Subject: Re: strange log entry On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: > Hello, > > Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat > 6.x box in under 30 se

Re: strange log entry

On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: > OpenBSD ships with rstatd and ruserd enabled by default and according to > http://www.openbsd.org/ > > "Four years without a remote hole in the default install!" > > Which begs the question, especially since the *BSD's release th

Re: strange log entry

On Thu, 24 May 2001 [EMAIL PROTECTED] wrote: What you have there is someone trying to do a buffer overflow attack on rpc.statd. The idea is that once the buffer is blown, they will get a chance to issue a command as root. In the attack that was attempted on on of the systems I was given to supe

RE: strange log entry

Hello, that's simple ;) If they was stable/non-exploitable then we'd be using rpc inplace of ssh ;) Ed -Original Message- From: Jacob Meuser [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 8:41 AM To: [EMAIL PROTECTED] Subject: Re: strange log entry On Thu, May 2

Re: strange log entry

On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: > On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: > > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > > > > > BS, when was the last time you installed OpenBSD? I just did an install > > > > 2.5 > That

RE: strange log entry

PROTECTED]] Sent: Thursday, May 24, 2001 4:34 AM To: [EMAIL PROTECTED] Subject: Re: strange log entry On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: > Hello, > > Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat > 6.x box in under 30 seconds with a

Re: strange log entry

On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > > > BS, when was the last time you installed OpenBSD? I just did an install > > 2.5 That was what, 2 years ago? > > > today. I guarantee portmap, ruserd, and rstat

Re: strange log entry

On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: > OpenBSD ships with rstatd and ruserd enabled by default and according to > http://www.openbsd.org/ > > "Four years without a remote hole in the default install!" > > Which begs the question, especially since the *BSD's release t

Re: strange log entry

On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > BS, when was the last time you installed OpenBSD? I just did an install 2.5 > today. I guarantee portmap, ruserd, and rstatd are enabled by default, > as the installer doesn't even ask what you want to activate, and these > pro

Re: strange log entry

On Thu, 24 May 2001 [EMAIL PROTECTED] wrote: What you have there is someone trying to do a buffer overflow attack on rpc.statd. The idea is that once the buffer is blown, they will get a chance to issue a command as root. In the attack that was attempted on on of the systems I was given to sup

Re: strange log entry

On Thu, May 24, 2001 at 12:43:40AM -0800, Ethan Benson wrote: > On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: > > On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: > > > Hello, > > > > > > Well first off WHY are you running the rpc stuff? (i.e. I can root a > > > redhat

Re: strange log entry

On Thu, May 24, 2001 at 05:41:08AM -0700, Jacob Meuser wrote: > On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: > > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > > > > > BS, when was the last time you installed OpenBSD? I just did an install > > > > 2.5 > That

Re: strange log entry

On Thu, May 24, 2001 at 04:06:08AM -0800, Ethan Benson wrote: > On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > > > BS, when was the last time you installed OpenBSD? I just did an install > > 2.5 That was what, 2 years ago? > > > today. I guarantee portmap, ruserd, and rsta

Re: strange log entry

On Thu, May 24, 2001 at 04:50:57AM -0700, Jacob Meuser wrote: > > > BS, when was the last time you installed OpenBSD? I just did an install 2.5 > today. I guarantee portmap, ruserd, and rstatd are enabled by default, > as the installer doesn't even ask what you want to activate, and these > pr

Re: strange log entry

On Thu, May 24, 2001 at 12:43:40AM -0800, Ethan Benson wrote: > On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: > > On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: > > > Hello, > > > > > > Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat > > >

Re: strange log entry

On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: > On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: > > Hello, > > > > Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat > > 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn

Re: strange log entry

On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: > Hello, > > Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat > 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn > that stuff OFF. > Not to start a thread discussing OSes, but ... Ope

Re: strange log entry

On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: > the last two i understand, as well as domain, but sunrpc and 1171? man fuser. Look for the "-n" option. > i've cleaned up everything i can think of, but X11R6 says it still needs the > RPC packages. Why does/would X11 require RPC?

RE: strange log entry

IPChains/Tables. All these services run on certain ports that they use even internally to the machine. Unless you're building a hardened firewall box (where you shouldn't be running RPC or X11 anyway) you should just either A) [preferable] have these systems behind a hardened firewall box,

RE: strange log entry

ok, with all this talking about rpc security holes, even though i've port-scanned and edited my initd.conf file, and pruned out everything i can think of to prune, the following still shows up in netstat -a: tcp0 0 *:sunrpc*:* LISTEN udp0 0 *:1171

Re: strange log entry

certainly does smell like some shell code (although some of the other characters look like an Asian character set being misinterpreted). Best bet is to set up some IPChains/Tables rules with a Default-Deny stance and then allow in from the outside only the very minimal required based on your

Re: strange log entry

Definitely a security problem. But the fact that you actually saw something is good news .. it means the exploit didn't work. If it had worked, the thing would just die quietly and not log anything. Better off without rpc anyway, unless you *need* it for NFS or something similar. And if you rea

Re: strange log entry

On Wed, May 23, 2001 at 10:58:43PM -0700, Wade Richards wrote: > Yep, it's a security problem. Someone is trying to hack into your system > using one of many known security bugs in the rpc daemon. > > If you don't need the rpc stuff running, then just disable it (better yet, > uninstall it). I

Re: strange log entry

Yep, it's a security problem. Someone is trying to hack into your system using one of many known security bugs in the rpc daemon. If you don't need the rpc stuff running, then just disable it (better yet, uninstall it). If you really do need it running, but it's only used locally, then I sugg

Re: strange log entry

On Thu, May 24, 2001 at 01:34:01AM -0700, Jacob Meuser wrote: > On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: > > Hello, > > > > Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat > > 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn

Re: strange log entry

On Thu, May 24, 2001 at 01:24:50AM -0400, Ed Street wrote: > Hello, > > Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat > 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn > that stuff OFF. > Not to start a thread discussing OSes, but ... Op

RE: strange log entry

Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 1:08 AM To:

Re: strange log entry

On Thu, May 24, 2001 at 04:10:13PM +0900, Curt Howland wrote: > the last two i understand, as well as domain, but sunrpc and 1171? man fuser. Look for the "-n" option. > i've cleaned up everything i can think of, but X11R6 says it still needs the > RPC packages. Why does/would X11 require RPC

RE: strange log entry

IPChains/Tables. All these services run on certain ports that they use even internally to the machine. Unless you're building a hardened firewall box (where you shouldn't be running RPC or X11 anyway) you should just either A) [preferable] have these systems behind a hardened firewall box,

RE: strange log entry

ok, with all this talking about rpc security holes, even though i've port-scanned and edited my initd.conf file, and pruned out everything i can think of to prune, the following still shows up in netstat -a: tcp0 0 *:sunrpc*:* LISTEN udp0 0 *:1171

Re: strange log entry

certainly does smell like some shell code (although some of the other characters look like an Asian character set being misinterpreted). Best bet is to set up some IPChains/Tables rules with a Default-Deny stance and then allow in from the outside only the very minimal required based on your

Re: strange log entry

Definitely a security problem. But the fact that you actually saw something is good news .. it means the exploit didn't work. If it had worked, the thing would just die quietly and not log anything. Better off without rpc anyway, unless you *need* it for NFS or something similar. And if you re

Re: strange log entry

On Wed, May 23, 2001 at 10:58:43PM -0700, Wade Richards wrote: > Yep, it's a security problem. Someone is trying to hack into your system > using one of many known security bugs in the rpc daemon. > > If you don't need the rpc stuff running, then just disable it (better yet, > uninstall it).

Re: strange log entry

Yep, it's a security problem. Someone is trying to hack into your system using one of many known security bugs in the rpc daemon. If you don't need the rpc stuff running, then just disable it (better yet, uninstall it). If you really do need it running, but it's only used locally, then I sug

RE: strange log entry

Hello, Well first off WHY are you running the rpc stuff? (i.e. I can root a redhat 6.x box in under 30 seconds with a rpc exploit from a clean install) Turn that stuff OFF. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 1:08 AM T