Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 7 May 1999 19:59:51 -0400 (EDT)
From:      Robert Watson <robert@cyrus.watson.org>
To:        security@freebsd.org
Subject:   Unusual syslog packets, crashing named...
Message-ID:  <Pine.BSF.3.96.990507194356.10056B-100000@fledge.watson.org>

next in thread | raw e-mail | index | archive | help
This afternoon I logged some unusual packets from cp-pm4.glas.apc.org
coming into the syslog port on two of hosts (one BSD/OS, the other
FreeBSD).  Since I am not in the habit of accepting [syslog] packets from
strangers, I tcpdum'd them.  I've attached syslogd getting upset, a copy
of two packets in hex form, and the useful text from the packet below
that.  I don't know if this is a port scan, or what it is, but sending
ports to other people's hosts using syslog is not very polite.  Any takers
on what this is exactly?

May  7 17:39:03 fledge syslogd: discarded 1 unwanted packets in secure
mode
May  7 17:39:20 fledge syslogd: discarded 2 unwanted packets in secure
mode
May  7 17:40:10 fledge syslogd: discarded 4 unwanted packets in secure
mode
May  7 17:43:37 fledge syslogd: discarded 8 unwanted packets in secure
mode


17:40:21.740443 cp-pm4.glas.apc.org.1023 > www.modarchive.com.syslog: udp
96
                         4500 007c 1aae 0000 f411 1128 c17c 05c1
                         cf56 0407 03ff 0202 0068 752f 3c31 343e
                         4368 6f69 6365 4e65 7420 426c 6f63 6b20
                         3139 352e 3231 382e 3235 312e 3520 2d20
                         3030 2035 3020 3034 2037 6120 3566 2062
                         6420 6435 2030 6120 3030 2030 6620 6537
                         2035 6320 3530 2031 3120 3232 2033 3820
                         6461 2035 6620 3030 2030 3020

17:40:10.980831 cp-pm4.glas.apc.org.1023 > fledge.watson.org.syslog: udp
108
                         4500 0088 1a37 0000 ee11 1222 c17c 05c1
                         cc9c 0c32 03ff 0202 0074 1f36 3c31 343e
                         4368 6f69 6365 4e65 7420 426c 6f63 6b20
                         3139 352e 3231 382e 3235 312e 3520 2d20
                         3030 2035 3020 3034 2037 3820 3330 2038
                         6320 3865 2031 6320 3030 2030 6620 6362
                         2037 6520 3630 2031 3220 3434 2037 3020
                         3263 2066 3920 3030 2030 3020 3032 2030
                         3420 3035 2062 3420


Useful text extracted:
(some headers) followed by
<14>ChoiceNet Block 195.218.25
1.5 - 00 50 04 7b 30 c6 12 78 00 10 0c ed 60 12 44 70 66 f1 00 00 02 04 05
b4

Unfortunately, I don't have an IP for the host in question, as I didn't
log that (that is just stdout from tcpdump, because the packets stopped
shortly afterwards).

Also, this morning, I observed a coredump of named on another of my hosts. 
Both of these hosts are running 2.2-stable at the end of the 2.2 branch
lifetime.  I'm a little concerned.  Are there any known issues with the
version of named last shipped with 2.2-stable (4.9.7-T1B)?  Anyone know
what these syslog packets might mean?  (the content is a little weird). 

May  7 08:42:37 cyrus /kernel: pid 106 (named), uid 0: exited on signal 11


  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services             http://www.safeport.com/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990507194356.10056B-100000>