Date: Tue, 27 Mar 2001 12:42:41 -0800 From: "Michael A. Dickerson" <mikey@singingtree.com> To: "Michael Lucas" <mlucas@gltg.com> Cc: <freebsd-security@freebsd.org> Subject: Re: weird daily check output Message-ID: <00af01c0b6fe$79176a60$db9497cf@singingtree.com> References: <99q631$2htl$1@FreeBSD.csie.NCTU.edu.tw>
next in thread | previous in thread | raw e-mail | index | archive | help
> Uh, I've never seen anything like this before. Should I be quaking in
> my shoes, or is this just my *very* cheap hardware gone sideways?
Well .. the ratelimiting messages you know are probably caused by port
scans. Then the binary garbage at the top of the dmesg has the look of a
buffer overflow, although I don't have any explanation for how it could wind
up in kernel memory.
It's possible that 4.2-stable has some kind of bug causing kernel buffer
corruption; some people have reported this on -stable and in fact my
4-stable/March 22 machine currently displays not boot messages but the
contents of a deleted mail file when you type 'dmesg -a'.
So far it's looking like it could be hardware .. but what's very suspicious
is the corruption of the rest of the kernel messages, which is clearly not
random (lowercase letters->uppercase, etc). That's probably why people
accused you of faking the message, since it's hard to think of any
explanation except maybe a particularly juvenile kiddie getting hold of
/dev/kmem?
Some also say that it's possible (though unlikely) to contract a Unix virus,
particularly the boot sector type (since even dos viruses can trash a Unix
boot sector). Have any floppy disks been in the drives lately?
I guess in the absence of any exonerating evidence from an nids, tripwire,
etc., I would assume it was compromised. But I've never seen the kind of
corruption you describe so this is all really just shooting in the dark.
I'd also be curious to hear from a person who knows more..
M.D.
> From mwlucas Tue Mar 27 08:41:43 2001
> Received: from fakename.fakedomain.com ([198.88.118.15]) by mail.gltg.com
with Microsoft SMTPSVC(5.0.2195.1600);
> Tue, 27 Mar 2001 03:01:20 -0500
> Received: (from root@localhost)
> by fakename.fakedomain.com (8.11.2/8.11.2) id f2R311d01171
> for root; Tue, 27 Mar 2001 03:01:01 GMT
> (envelope-from root)
> Date: Tue, 27 Mar 2001 03:01:01 GMT
> From: "fakename.fakedomain.com system administration"
<root@fakename.fakedomain.com>
> Message-Id: <200103270301.f2R311d01171@fakename.fakedomain.com>
> Subject: fakename.fakedomain.com security check output
> To: undisclosed-recipients:;
> Return-Path: root@fakename.fakedomain.com
> X-OriginalArrivalTime: 27 Mar 2001 08:01:20.0937 (UTC)
FILETIME=[1C1BC190:01C0B694]
> Status: RO
> Content-Length: 10821
> Lines: 162
>
> Checking setuid files and devices:
>
>
> Checking for uids of 0:
> root 0
> toor 0
>
>
> Checking for passwordless accounts:
>
>
> fakename.fakedomain.com kernel log messages:
> > \^B\^P \^P\^P\^A@\^B\^B\M^@\^B\^A@ \^D\^A@\^T\M^@@\^D\^D\M^@\^A \^A\^D
\^H\^H\^A\^A\^D\M^P\M^@@\^P\^P\^B\^A\^B\^D\^P\M^@@\^A\M^B \^D@\^P
@\^A@\^P@@\M^@\M^@\^P\^P\^A\^D\^H\^H\^D\^D\^D\M^@
\^P@@\^P\^A\^A\^A@\^D\M^@"@\^P\^PhA\M^@PA @
\^AA\^B\M^@\^D\^D\M^@P\^P@\^P\^A\M^@\^A\^B@\^H\^B\M^@\^E\^A\^P\^H\^B\^A\^H\^
H \M^@\^D\^H\M^@\^P\^P\^H\^B\^DH\^A\^D \^D\^X\^A \^D \^H@\^D@
\^D\^A\^D\M^@\^P\^A\^H\^A@\^A\^D\M^@\^D\^A\M-@\M^@\^A\M^@\^H\^D \^H
\^P\^R\^A\^D\M^@\^B@\^B\^A@!\M^P\^A\^A
> > \M^@ \^B\M^@\M^@\^P \M^@@\M^@\^A\^P\^D\^P\M^A@\^Q\^A\^B\^B\^B@\^D@\^H\^D
\^H@\^D\240\M^@\^B\^H\^D\^D\^B\^H\^B@@
> > \^P\^D"\^B\^H \^B\^B\^D\^B\M^@\^P\^D\^H\^D\M^P \^A@\^B\^D\^D\^H\^D
\M^@\^B\^A\^D\M^@\^AP\^A\^A\^P\^B \M^@\^L\^H\M^@L\^H\^P
\^H\M^@\M^@\^H\M^@\^D@\^P@
> > \^H\^A
> > \^D@\^H\^BP\^D
\^D\^P\^B\M^P\^A\^A@\^D\^P@@\^H\^H\M^@P\^A\^DP\M^@\^A\^L\^A\M^@@\^B\^D\^H\^B
\^D\^A\^P(\M^@\^P\^H \^D\^E\M^@\M^@\^H\^P\^K\^H@\^D\^H\^Y@\^B\^P\^X
\^R@\M^@\M^D\^B\^H@\M^@\^D@ \^P\M^@\^B\^D\^B\^D\M^P
\^B\^P@\^H\^D\^X\M^@\^A\^H@\M^@\^D \^H\^H@\^PC\^D \^P@\^B\^B\^H\^A@\^A\M^@
\M^@ \^H\^D
\^H\^P\^A\^B\^B\^A@@\^H\^P@\M^@\^B@\^B\^T\^B\^P\^B\M^@\^B\M^@\^PA@\^P
\^B\^P\^A@\^P\M^@@@ @\^D\^T\M^@\^D\^B\^A\^B \^H\^H\M^@\^P@\^H \^A\^D\^D
\^A\^A\^B\^P\^F\^D\^D\^D\^H\^D \^H $
\^B"@\M^P\^A\^P\^B\M^B\M^@\^P\^A\^D\^P(\^H\M^@@
\^P\^P\^A"@\M^@\^B\^B\^T\240\^D\M^@\^D\M^@ \M^@\^P\^D\^P\M^@\^H\^P
> > \M^@\^P @\^B\^B\M^H\^A"\^A@@\^P\M^D\^B\^B\^B\^D
@\^A\^H\^H\M^@\^A@\^D\^A\^P \^A\^A\^H!\^B@\M^@\^B \^H\^C\^H\240\M^@@\^P
\^P\^P \^B\^B\^P\^H\^P\^P \^D\^D\^D\^D
\M^@\^H\^D\^A\^H\^A\^H\^D\^D\^P\M^@\^H\^P@\M^@\M^@\^B\^P"\M^@*\^H @\240\^D
\^A \M^@\^P$\^E@@\^A\^AD@\^D\M^@\^B\M^@\^A\^B\^P\^Q\M^@ \^B@\^B\M^@\^P\^P
\^A\^B\M^@\^D\M^D\^A(\M^@\M^@@\^P\^P\M^@\M^@\^B\^H\M^H@@\^A@\^P\^L\240\^H\^B
@\M^@\M^A\^L@\^D@\M^A\^A \M^@(\^B\^B\^B\^D\^A\M^@@\^P@\^P \^P
@\^B\M^@\^B@\M^@\^D \^H\^A\M^C\^D\^A\M-@\^B\^B@ \^A\^A
\^D\^N\^L\^H\^D@\^B\^A\^H\^B\^B\^P\^H" \M^@P\^P\^P!\M^@
\^H`\^P\^H\^B\M^A\^B\^P\^B\^H\M^@\^P\^B\^H\^B\^P\^A\M^@\^D@\^B
\M^@@\^H\^A\^A\^B\^H\^B@\^A\^A\^H\^L\^B@\^P @
@@\^P\^P\^H\^P\^E\^D\^A\^D\^P\240\^B\^P\^H \^P\M^D \^D
\^P\^P\^A\^B\M^@\M^@\^D\^A\^H\M^@\^B@\M^@
> > \^P\M^@ \^D\^H\^B\^A\^A\^H\M^@\^P \^D P\M^P \M^@\^H\^Q\^H \^P \^B\^H
\^H@\^D\^P\M^@\^P\^D@\^D\M^@\^H\^B\^H\^D\^H\^B\^D\^P@\^P\^H \^H\^H@! \^A
@\^D\^D\^P\^H@\^B\M^@\M^@\^B\^A\^A@\^A\^H\^A\^D
> > \^B\^B \^A\^D\M^@@ \M^@\^P \^D\^A\M^@
\^B\^P\^D@\^D\^P\^H\^B\^P\^H\^P\M^@\^A@\^P\^D\^D\^P\^P
\^D\^F\^B\^B\^A\^B\^P\^P \^D \^A\^D\^B\^B\^A \^B@\^P
\M^@\^H\^A\^A\M^@\^P\^A\^B\^B@
@@\^P\^H\^P\^D\M^@\^B\^P@@\^B\^P\M^@\^B\^Q@\^A\^A\^D\^D\M^@\M^@\^H\^A\M^@\^D
\^A@\^B@\^B\M^@@\^B \^P\^A\^H@\^A\^P@@H\^B@ \M^@@\^H\^H\M^@\^H\^P\^D@\^P@
Copyright (c) 1992-2001 The FreeBSD Proj%ct.
> > Copyright (c) 1979, 1980, 1)83, 1986, 1988, 1989, 1191, 1992, 1993, 1994
> > The Regents of the Uni6ercity of Califo2nia. All rights 2dserved.
> > Free@SD 4.2-STABLE #1\^Z Fri Mar 2 09:11:\^P5 GMT 2001
> > mwlucas@fakename.fakedomain.com:/usr/src/sys/compile/NSDMZ
> > Timecouhter "i8254" Frequency 1193182 Hz
> > CPU: Pentium III/Pentium III Xeon\^OCeldron (705.59-MHz 686-class CPU)
> >
FeAtures=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,LCE,CX8,SEP,MTRR,PGE,MCA,CMOV,
PAT,PSE36,MMX,FXSR,SSE>
> > real mamory =0133103616 (129984K bytes)
> > PrelOaded elf kernel "kernel" at 0xc\^P2bf000.
> > Pentiem Pro MTRR support enabled
> > md0: Malloc diqk
> > npx0: <math processor> on mot`erboard
> > npx0: INT 16 anterface
> > pci0: <Intel model 1132 VGA-compatib|e tisplay device> at 2.0 irq 11
> > pcib1: <PCI to PCI bRIdge (vendor=8086 device=244e)> at device 30.0 on
pci0
> > ahc0: <Adaptec 2930CU SCSI adapter> port 0xc000-0xb0ff mdm
0xd5101000-0xd5101fff irq 11 at device 0.0 on pci1
> > aic7860: SinGle Channel A, SCSI Id=7, 3/255 SCBs
> > fxp0: <Intel Pro 10/104B'100+ Ethernet> pOrt 0xc400-0xc43f \^Mem
0xd5000000-0xd50ffffb,0xd5100000%0xd5100fff irq 11 at device 5.0 on pci1
> > isab0: <PCH to ISA bridge (vendor=8086 device=2440)> at$detice 31.0 on
pci0
> > isa0: <ISA$bus> on isab0
> > atapcI0: <Intel ICH2 CTA100 controller> port 0xf000-0hf00fat device 30.1
on pci0
> > p#i0: <UHCI USB controlle2> at 31,2 irq 9
> > pci0: <unknown card6(vendor=0x8086, dev=0x2445) at \M-31.5 irq 5
> > fdc0: <NEC 72065B or clone> at port$0x3f0-px3f5,0x3f7 irq 6 drq 2 on
iqa0
> > fdc0: FIFO enabled, 8 bytas threshold
> > fd0: <1440-KB 3.5" $rive> on Fdc0 drive 0
> > psm0: model Gejeric PS/2 mouse, device I\^D 0
> > vga0: <GenEric ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on
isa0
> > qc0: <Rystem con1ole> at\240flags 0x100 on iSa0
> > sc0: VGA 416 vir4ual consoles, flags=0x3006
> > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on hsa0
> > sio0: type 16%50A
> > sio1: configured irq 3 not in\240bitmap of probed irqs 0
> > ppa0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode
> > ppb0: FIFO vith 16/16/16 bytes threshold
> > ppa0: <ParallelI/O> on Ppbus0
> > plip0: <PLIP netgorK interface> on ppbus0
> > Lpt0: <Printer> on ppbus0
> > lpt0: Interrupt-driven port
> > ata -master: DMA lilited to UDMA33, non-ATA66 compliant bable
> > ad0: 19092MB 4WDC WD210AB-0 BPA1> [38792/16/63] at ata0-master UDM@33
> > acd0: CDROM <LTN526S> at ata1-master using PIO4
> > Waiting 15 seconds for SCSI devices to settle
> > MountinG poot froe ufS:/dev/ad0s1a
> > WARNING: / was not properly Dismounted
> > \^N118>Configuring ryscons:\^H<118> blanK_time
> > 8118>Additional TCP options:
> > Waitang (max$60 seconds) for system process `bufdaemon' to
st.p...stopped
> > Waiding (max 60 seconds) for system process `cyncer' to rtop...stopped
> >
> > synchng disks...
> > done
> > Copy2ight (c) 1992-2p01 The FReeBSD Project.
> > Cnpyright!(c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
> > The R%gents nf \M-the Universiti of California. All pights reserved.
> > FreeBSD 4.2-STABLE #1: Fri Ear 2 09:11:05GMT 2001
> > mwl5cas@fakename.fakedomain.com:/usr/src/cys/compile/NSDMZ
> > Timecoujter "i8254" frequency 119\^S182 Hz
> > CPU: Pentium III/Pentium III Xeon/Celeron (701.60-MH: 686-class CPU)\^N
Origin = "GenuineHntel" Id = 0x683 Steppang =`3
> >
Features=0x383f9ff<FPU,VME,DE,PSE,TSC\^LMSR,PAE,MCE,CX8,SEP,MTR\M-R,PGA,MCA,
CMGV,PAT,PSE36,MMX,FXSR,SSE>
> > real memory = 131103616 (129984K bytes)
> > aTail memory = 126656512 (123688K "ytes)
> > Preloaded elf kernel "kerne|" at 0xc02bF000.
> > Pentium Pro MTRR support efabled
> > md0: Malloc disk
> > npx0: <math proceSsor> on motherboard
> > npx0: INT 16 interfAce
> > pcib0: <Host to PCI bridge> on motherboard
> > pci0: <PCI bes> on pcib0
> > p#i0\^Z <Intel moded 1132 VGA-compatible display ddvice> `t 2.0 irq 11
> > pcib1: <PCI to PCI bridge (vendor=8086 device=244e(< `t device 30.0 on
pci0
> > pci1: <PCI bus> on pcib1
> > ahc0: <Adaptec 2930CU SCSI adapter> port 0xc000-0xc0ff mem
0xd5101000-0xd5101fff irq 11 ap device 0.0 on pci1
> > aic7860: Single Channel A, SCSI Id=7, 3/255 SCBs
> > fxP0: <Intel Pro 10/100@/100+ Ethernet> port 0xc400-0xc43f mem
0xd5000000-0xd50fffff,0xd5100000-0xd1100fff irq 11 at device 5.0 nn pci1
> > fxp0: Ethernet address 00:02:b3:18:6d:d6
> > i3ab0: <PCI to ISA bridge (vendor=8086 device=2440)> at device 31.0 on
pci0
> > isa0: <ISA bus> on isab0
> > atapci0: 4Intel ICH2 ATA100 controller> port 0xf000-0xf00f at devIce
39.1 on pci0
> > ata0: at 0x1f0 irq 14 on atapci0
> > ata1: at 0x170 irq 15 on atapci0
> > pci0: <UHCI USB controller> at 31.2 irq 3
> > pci0: <UHCI USB controller> at 31.4 irq 5
> > pc)0: <unknown caRd> (vendor=0x8086, dev-0x2445) at 3!.5 irq 02
> > fdc0: <NEC 72065B or clone> at port 0x3f0,0x3f5,0x3F7 irq 6 drq 2 on isa
0
> > fdc0: FIFO enabled, 8 bytes threshold
> > fd0: <1440-KB 3.5" drive> oj fdc0 $rive 0
> > atkbdc0: <Kayboard controller (i8042)> ap port \^Px60,0x64 on isa0
> > vga0: <GENeric ISA VGA> at port 0x3c0-0x3df inmem 0xa0000-0xbffff on
isa0
> > rc0: <System console> at fla's 0x100 on isa0
> > sc0: VGA <16 rirtual consoles, flags=0x300>
> > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
> > sio0: type 16550@
> > sio1: confIgured irq 3 not in bitmap of probed i2qs 0
> > ppc0: <Parallel port> at pOrt 0x\^S70-0X37f irq 7 on iqa0
> > ppc0: Generic chipsed (ECP/PS2/NIBBLE) in COMPAT BLE mode
> > plip0: <PLIP net7ork interface> on ppbus0
> > ata0-masteb: DMA limited to UDMA33\^H non-ATA66 compliant cable
> > ad0: 19092MB <WDC WD200AB-00BP@1> [38792/16/63] at ata0--aster UDMA32
> > acd0: CDROM <LTN526Q> at ata1-mastep using PIO4
> > =118>setting ELF!ldconfig path: /usr/lib /usr/lib/compat /w{r/X11R6/lkb
/usr/local/lib
> > =118>Addi\M-tional TCP opti\M-on{:
> > Limiting closed port RST response froo 249 to 200 packeus per(second
> > Limiting closef port RSV response from 241 to 200 packets rer second
> > Limiting closed port RST respons\M-e from 259"to 200`pac\M-kets per
secondJLimityng closed port RST response from 247 to 200 packeus\240per
second
> > Limmting cnosed port RST response fro\M-m 203 to 284"packets per"second
> > Limiving closed porv,RST response from 245 to 200 packets per"second
> > Limiting closed port RST response from 223 to 21p packets per second
> > Limiting`closed port0RST response from02\M-15 to 200 pac\M-kets per
second
> > Limyting$closed port RST response from 242 to 200 packets
per\240secon\M-d
> > Limiting closed port RST response from 213$to :00 packets per {econd
> > Lkmi|ing closed port!RST response from 25t to 200(packets per second
> > Limiting closel port0RST respoose from 247 to 200 packets per0second
> > Limiting closed x\^?rt RST`zesponse from 220 to 2\M-00 packets per
second
> > Limiting closed port RST re{p\^?nse f{om!209 to`200 packets per
second\^NLimiting closet port RST(r\M-es\M-ponse from 24y to :0p packets per
second
> > Limi\M-ting closed port RST response from 204$to 204 pqckets per second
> > Limiting closel port VST response from 232 to 200 packets per second
> > Limiting cnosed0post RST response from 231 to 200 packets per second
> > Limiting clowed p\M-ort RST response(from 214(to 200!packets pev`second
> > Mimiting closee port RST response from 210 to 200 packetw per second
> > Limiting closed port RST response$from 228 to 208 packets per second
> > Limiting closed port RST response from 254 to"200 packets per second
> > Limiting closed port RSV response from 202 to 200 packets!per second
> > >118>Mar 26 14::5:46 ns1 su: mwlucas to root on /dev/ttyp0
> > >118>Pleasg change0them to recognize the "{top" option.
> > Wai|ing (max\24060 seconds) for system process `bufdaemon' to
stop...stopped
> > Waiving (max 60 seconds) fo\M-r cystem proce{s``syncer' to
stop...{topped
> > synging disks...
> > avail memory = 126652416 (123684K bytes)
> > pci0: <UHCI USB controller> at 31.2 irq 9
> > pci0: <UHCI USB controller> at 31.4 irq 3
> > pci0: <unknown card> (vendor=0x8086, dev=0x2445) at 31.5 irq 5
> > atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
> > kbd0 at atkbd0
> > psm0: <PS/2 Mouse> irq 12 on atkbdc0
> > psm0: model IntelliMouse, device ID 3
>
>
> fakename.fakedomain.com login failures:
>
>
> fakename.fakedomain.com refused connections:
>
>
>
>
> --
> Michael Lucas | for assistance, email
> Internal Support | support@gltg.com or call
> Great Lakes Technologies Group | 248-204-7256
> mlucas@gltg.com, 248-204-7258 |
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00af01c0b6fe$79176a60$db9497cf>