Date: Fri, 7 May 1999 19:59:51 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: security@freebsd.org Subject: Unusual syslog packets, crashing named... Message-ID: <Pine.BSF.3.96.990507194356.10056B-100000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
This afternoon I logged some unusual packets from cp-pm4.glas.apc.org coming into the syslog port on two of hosts (one BSD/OS, the other FreeBSD). Since I am not in the habit of accepting [syslog] packets from strangers, I tcpdum'd them. I've attached syslogd getting upset, a copy of two packets in hex form, and the useful text from the packet below that. I don't know if this is a port scan, or what it is, but sending ports to other people's hosts using syslog is not very polite. Any takers on what this is exactly? May 7 17:39:03 fledge syslogd: discarded 1 unwanted packets in secure mode May 7 17:39:20 fledge syslogd: discarded 2 unwanted packets in secure mode May 7 17:40:10 fledge syslogd: discarded 4 unwanted packets in secure mode May 7 17:43:37 fledge syslogd: discarded 8 unwanted packets in secure mode 17:40:21.740443 cp-pm4.glas.apc.org.1023 > www.modarchive.com.syslog: udp 96 4500 007c 1aae 0000 f411 1128 c17c 05c1 cf56 0407 03ff 0202 0068 752f 3c31 343e 4368 6f69 6365 4e65 7420 426c 6f63 6b20 3139 352e 3231 382e 3235 312e 3520 2d20 3030 2035 3020 3034 2037 6120 3566 2062 6420 6435 2030 6120 3030 2030 6620 6537 2035 6320 3530 2031 3120 3232 2033 3820 6461 2035 6620 3030 2030 3020 17:40:10.980831 cp-pm4.glas.apc.org.1023 > fledge.watson.org.syslog: udp 108 4500 0088 1a37 0000 ee11 1222 c17c 05c1 cc9c 0c32 03ff 0202 0074 1f36 3c31 343e 4368 6f69 6365 4e65 7420 426c 6f63 6b20 3139 352e 3231 382e 3235 312e 3520 2d20 3030 2035 3020 3034 2037 3820 3330 2038 6320 3865 2031 6320 3030 2030 6620 6362 2037 6520 3630 2031 3220 3434 2037 3020 3263 2066 3920 3030 2030 3020 3032 2030 3420 3035 2062 3420 Useful text extracted: (some headers) followed by <14>ChoiceNet Block 195.218.25 1.5 - 00 50 04 7b 30 c6 12 78 00 10 0c ed 60 12 44 70 66 f1 00 00 02 04 05 b4 Unfortunately, I don't have an IP for the host in question, as I didn't log that (that is just stdout from tcpdump, because the packets stopped shortly afterwards). Also, this morning, I observed a coredump of named on another of my hosts. Both of these hosts are running 2.2-stable at the end of the 2.2 branch lifetime. I'm a little concerned. Are there any known issues with the version of named last shipped with 2.2-stable (4.9.7-T1B)? Anyone know what these syslog packets might mean? (the content is a little weird). May 7 08:42:37 cyrus /kernel: pid 106 (named), uid 0: exited on signal 11 Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990507194356.10056B-100000>