Date: Fri, 7 May 1999 19:59:51 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: security@freebsd.org Subject: Unusual syslog packets, crashing named... Message-ID: <Pine.BSF.3.96.990507194356.10056B-100000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
This afternoon I logged some unusual packets from cp-pm4.glas.apc.org
coming into the syslog port on two of hosts (one BSD/OS, the other
FreeBSD). Since I am not in the habit of accepting [syslog] packets from
strangers, I tcpdum'd them. I've attached syslogd getting upset, a copy
of two packets in hex form, and the useful text from the packet below
that. I don't know if this is a port scan, or what it is, but sending
ports to other people's hosts using syslog is not very polite. Any takers
on what this is exactly?
May 7 17:39:03 fledge syslogd: discarded 1 unwanted packets in secure
mode
May 7 17:39:20 fledge syslogd: discarded 2 unwanted packets in secure
mode
May 7 17:40:10 fledge syslogd: discarded 4 unwanted packets in secure
mode
May 7 17:43:37 fledge syslogd: discarded 8 unwanted packets in secure
mode
17:40:21.740443 cp-pm4.glas.apc.org.1023 > www.modarchive.com.syslog: udp
96
4500 007c 1aae 0000 f411 1128 c17c 05c1
cf56 0407 03ff 0202 0068 752f 3c31 343e
4368 6f69 6365 4e65 7420 426c 6f63 6b20
3139 352e 3231 382e 3235 312e 3520 2d20
3030 2035 3020 3034 2037 6120 3566 2062
6420 6435 2030 6120 3030 2030 6620 6537
2035 6320 3530 2031 3120 3232 2033 3820
6461 2035 6620 3030 2030 3020
17:40:10.980831 cp-pm4.glas.apc.org.1023 > fledge.watson.org.syslog: udp
108
4500 0088 1a37 0000 ee11 1222 c17c 05c1
cc9c 0c32 03ff 0202 0074 1f36 3c31 343e
4368 6f69 6365 4e65 7420 426c 6f63 6b20
3139 352e 3231 382e 3235 312e 3520 2d20
3030 2035 3020 3034 2037 3820 3330 2038
6320 3865 2031 6320 3030 2030 6620 6362
2037 6520 3630 2031 3220 3434 2037 3020
3263 2066 3920 3030 2030 3020 3032 2030
3420 3035 2062 3420
Useful text extracted:
(some headers) followed by
<14>ChoiceNet Block 195.218.25
1.5 - 00 50 04 7b 30 c6 12 78 00 10 0c ed 60 12 44 70 66 f1 00 00 02 04 05
b4
Unfortunately, I don't have an IP for the host in question, as I didn't
log that (that is just stdout from tcpdump, because the packets stopped
shortly afterwards).
Also, this morning, I observed a coredump of named on another of my hosts.
Both of these hosts are running 2.2-stable at the end of the 2.2 branch
lifetime. I'm a little concerned. Are there any known issues with the
version of named last shipped with 2.2-stable (4.9.7-T1B)? Anyone know
what these syslog packets might mean? (the content is a little weird).
May 7 08:42:37 cyrus /kernel: pid 106 (named), uid 0: exited on signal 11
Robert N Watson
robert@fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
Carnegie Mellon University http://www.cmu.edu/
TIS Labs at Network Associates, Inc. http://www.tis.com/
Safeport Network Services http://www.safeport.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990507194356.10056B-100000>