Date: Wed, 15 Feb 2006 08:45:25 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: imbg11@gmail.com Cc: freebsd-questions@freebsd.org Subject: Re: 15 digit HEX string in /var/log/messages Message-ID: <43F2EA25.1000108@infracaninophile.co.uk> In-Reply-To: <43F24C48.9040702@gmail.com> References: <43F24C48.9040702@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigBE1F6C35CA3B58B1961704ED
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Tom Nguyen wrote:
> Greetings all,
>=20
> Running FreeBSD 5.4 stable on intel x86 platform. Need help in
> deciphering /figuring out what is the cause of strange 15 character HEX=
> strings that is logging in /var/log/messages:
>=20
> [...]
> Feb 14 13:11:39 hostx kernel: 3E0D0A3C6172656
> Feb 14 13:14:12 hostx kernel: 4163636570742D4
> Feb 14 13:14:19 hostx kernel: 69742532464C697
> Feb 14 13:14:26 hostx kernel: 4163636570742D4
> Feb 14 13:31:44 hostx kernel: 732E616861696E7
> Feb 14 13:32:31 hostx kernel: 415577426F41475
> Feb 14 13:32:31 hostx kernel: 415577426F41475
> Feb 14 13:33:40 hostx kernel: 2A0D0A416363657
> Feb 14 13:33:48 hostx kernel: 2E616861696E746
> Feb 14 13:33:49 hostx kernel: 736573736D656E7
> Feb 14 13:43:22 hostx kernel: 45414141412F2F2
> Feb 14 14:00:38 hostx kernel: 780D0A416363657
> Feb 14 14:02:45 hostx kernel: 0A200D0A09626F7
> Feb 14 14:13:19 hostx kernel: 70616765732F686
> Feb 14 14:39:10 hostx kernel: 64066FF3ED39E31
> Feb 14 14:47:57 hostx kernel: 414141414141414
> [...]
>=20
> This has been occurring for several weeks now. First thought was some
> type of attack but our IDS doesn't pick up anything unusual.
> Google searches doesn't give any clues. Can anyone shed some light on t=
his?
Those strings look like the hex encoded byte values of mostly ascii text.=
You can convert them into something potentially readable by:
% perl -le 'print pack ("C7", ("414141414141414" =3D~ m/../g ) ) ;'
)))))))
However what comes out is not anything recognisable. You might be able t=
o
spot something within the larger quantities of data in your log files tho=
ugh.
I would hazard a guess here that what you are seeing is some one trying t=
o
exploit a buffer overflow in some way. The '4141414141' pattern is often=
used as a marker to show what bits of the stack have been overwritten dur=
ing
the initial attempts to develop an overflow. The next stage would be to
inject shell code and together with something like overwriting part of th=
e
stack frame so that a function call jumps to executing that code. Voila,=
machine hacked.
Of course, I could be wrong, and this all might have a completely innocen=
t explanation. An in depth review of security would certainly be indicate=
d
here though. Check all of the software you're running against databases =
of
exploits such as VuXML (http://vuxml.freebsd.org/), Secunia (http://secun=
ia.org/),
CVE (http://www.cve.mitre.org/). Make sure all software is up to date. T=
urn
off anything you don't actually need to be running, and configure other
services not to listen on internet facing network ports if they don't nee=
d to
do that. Use tcpdump or similar programs like ethereal to try and spot
unexpected network traffic. Look for core files from daemon processes, a=
nd
examine them in a debugger -- sometimes you can tell that a process was c=
rashed
by an overflow attempt.=20
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigBE1F6C35CA3B58B1961704ED
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD8uos8Mjk52CukIwRA+xeAJ9gdxEpmTsoLY8fGnFnVX5wvSCKsACfXfJv
pzkPgtDxkllb94PLy7bCSe4=
=jaBa
-----END PGP SIGNATURE-----
--------------enigBE1F6C35CA3B58B1961704ED--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F2EA25.1000108>