From owner-freebsd-security Tue Mar 27 12:45: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from tahoe.cinenet.net (ns1.cinenet.net [198.147.76.65]) by hub.freebsd.org (Postfix) with ESMTP id 9162737B718 for ; Tue, 27 Mar 2001 12:44:51 -0800 (PST) (envelope-from mikey@singingtree.com) Received: from ember (pool.207.151.148.219.cinenet.net [207.151.148.219]) by tahoe.cinenet.net (8.9.3/8.9.3) with SMTP id MAA03591; Tue, 27 Mar 2001 12:44:44 -0800 (PST) Message-ID: <00af01c0b6fe$79176a60$db9497cf@singingtree.com> From: "Michael A. Dickerson" To: "Michael Lucas" Cc: References: <99q631$2htl$1@FreeBSD.csie.NCTU.edu.tw> Subject: Re: weird daily check output Date: Tue, 27 Mar 2001 12:42:41 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Uh, I've never seen anything like this before. Should I be quaking in > my shoes, or is this just my *very* cheap hardware gone sideways? Well .. the ratelimiting messages you know are probably caused by port scans. Then the binary garbage at the top of the dmesg has the look of a buffer overflow, although I don't have any explanation for how it could wind up in kernel memory. It's possible that 4.2-stable has some kind of bug causing kernel buffer corruption; some people have reported this on -stable and in fact my 4-stable/March 22 machine currently displays not boot messages but the contents of a deleted mail file when you type 'dmesg -a'. So far it's looking like it could be hardware .. but what's very suspicious is the corruption of the rest of the kernel messages, which is clearly not random (lowercase letters->uppercase, etc). That's probably why people accused you of faking the message, since it's hard to think of any explanation except maybe a particularly juvenile kiddie getting hold of /dev/kmem? Some also say that it's possible (though unlikely) to contract a Unix virus, particularly the boot sector type (since even dos viruses can trash a Unix boot sector). Have any floppy disks been in the drives lately? I guess in the absence of any exonerating evidence from an nids, tripwire, etc., I would assume it was compromised. But I've never seen the kind of corruption you describe so this is all really just shooting in the dark. I'd also be curious to hear from a person who knows more.. M.D. > From mwlucas Tue Mar 27 08:41:43 2001 > Received: from fakename.fakedomain.com ([198.88.118.15]) by mail.gltg.com with Microsoft SMTPSVC(5.0.2195.1600); > Tue, 27 Mar 2001 03:01:20 -0500 > Received: (from root@localhost) > by fakename.fakedomain.com (8.11.2/8.11.2) id f2R311d01171 > for root; Tue, 27 Mar 2001 03:01:01 GMT > (envelope-from root) > Date: Tue, 27 Mar 2001 03:01:01 GMT > From: "fakename.fakedomain.com system administration" > Message-Id: <200103270301.f2R311d01171@fakename.fakedomain.com> > Subject: fakename.fakedomain.com security check output > To: undisclosed-recipients:; > Return-Path: root@fakename.fakedomain.com > X-OriginalArrivalTime: 27 Mar 2001 08:01:20.0937 (UTC) FILETIME=[1C1BC190:01C0B694] > Status: RO > Content-Length: 10821 > Lines: 162 > > Checking setuid files and devices: > > > Checking for uids of 0: > root 0 > toor 0 > > > Checking for passwordless accounts: > > > fakename.fakedomain.com kernel log messages: > > \^B\^P \^P\^P\^A@\^B\^B\M^@\^B\^A@ \^D\^A@\^T\M^@@\^D\^D\M^@\^A \^A\^D \^H\^H\^A\^A\^D\M^P\M^@@\^P\^P\^B\^A\^B\^D\^P\M^@@\^A\M^B \^D@\^P @\^A@\^P@@\M^@\M^@\^P\^P\^A\^D\^H\^H\^D\^D\^D\M^@ \^P@@\^P\^A\^A\^A@\^D\M^@"@\^P\^PhA\M^@PA @ \^AA\^B\M^@\^D\^D\M^@P\^P@\^P\^A\M^@\^A\^B@\^H\^B\M^@\^E\^A\^P\^H\^B\^A\^H\^ H \M^@\^D\^H\M^@\^P\^P\^H\^B\^DH\^A\^D \^D\^X\^A \^D \^H@\^D@ \^D\^A\^D\M^@\^P\^A\^H\^A@\^A\^D\M^@\^D\^A\M-@\M^@\^A\M^@\^H\^D \^H \^P\^R\^A\^D\M^@\^B@\^B\^A@!\M^P\^A\^A > > \M^@ \^B\M^@\M^@\^P \M^@@\M^@\^A\^P\^D\^P\M^A@\^Q\^A\^B\^B\^B@\^D@\^H\^D \^H@\^D\240\M^@\^B\^H\^D\^D\^B\^H\^B@@ > > \^P\^D"\^B\^H \^B\^B\^D\^B\M^@\^P\^D\^H\^D\M^P \^A@\^B\^D\^D\^H\^D \M^@\^B\^A\^D\M^@\^AP\^A\^A\^P\^B \M^@\^L\^H\M^@L\^H\^P \^H\M^@\M^@\^H\M^@\^D@\^P@ > > \^H\^A > > \^D@\^H\^BP\^D \^D\^P\^B\M^P\^A\^A@\^D\^P@@\^H\^H\M^@P\^A\^DP\M^@\^A\^L\^A\M^@@\^B\^D\^H\^B \^D\^A\^P(\M^@\^P\^H \^D\^E\M^@\M^@\^H\^P\^K\^H@\^D\^H\^Y@\^B\^P\^X \^R@\M^@\M^D\^B\^H@\M^@\^D@ \^P\M^@\^B\^D\^B\^D\M^P \^B\^P@\^H\^D\^X\M^@\^A\^H@\M^@\^D \^H\^H@\^PC\^D \^P@\^B\^B\^H\^A@\^A\M^@ \M^@ \^H\^D \^H\^P\^A\^B\^B\^A@@\^H\^P@\M^@\^B@\^B\^T\^B\^P\^B\M^@\^B\M^@\^PA@\^P \^B\^P\^A@\^P\M^@@@ @\^D\^T\M^@\^D\^B\^A\^B \^H\^H\M^@\^P@\^H \^A\^D\^D \^A\^A\^B\^P\^F\^D\^D\^D\^H\^D \^H $ \^B"@\M^P\^A\^P\^B\M^B\M^@\^P\^A\^D\^P(\^H\M^@@ \^P\^P\^A"@\M^@\^B\^B\^T\240\^D\M^@\^D\M^@ \M^@\^P\^D\^P\M^@\^H\^P > > \M^@\^P @\^B\^B\M^H\^A"\^A@@\^P\M^D\^B\^B\^B\^D @\^A\^H\^H\M^@\^A@\^D\^A\^P \^A\^A\^H!\^B@\M^@\^B \^H\^C\^H\240\M^@@\^P \^P\^P \^B\^B\^P\^H\^P\^P \^D\^D\^D\^D \M^@\^H\^D\^A\^H\^A\^H\^D\^D\^P\M^@\^H\^P@\M^@\M^@\^B\^P"\M^@*\^H @\240\^D \^A \M^@\^P$\^E@@\^A\^AD@\^D\M^@\^B\M^@\^A\^B\^P\^Q\M^@ \^B@\^B\M^@\^P\^P \^A\^B\M^@\^D\M^D\^A(\M^@\M^@@\^P\^P\M^@\M^@\^B\^H\M^H@@\^A@\^P\^L\240\^H\^B @\M^@\M^A\^L@\^D@\M^A\^A \M^@(\^B\^B\^B\^D\^A\M^@@\^P@\^P \^P @\^B\M^@\^B@\M^@\^D \^H\^A\M^C\^D\^A\M-@\^B\^B@ \^A\^A \^D\^N\^L\^H\^D@\^B\^A\^H\^B\^B\^P\^H" \M^@P\^P\^P!\M^@ \^H`\^P\^H\^B\M^A\^B\^P\^B\^H\M^@\^P\^B\^H\^B\^P\^A\M^@\^D@\^B \M^@@\^H\^A\^A\^B\^H\^B@\^A\^A\^H\^L\^B@\^P @ @@\^P\^P\^H\^P\^E\^D\^A\^D\^P\240\^B\^P\^H \^P\M^D \^D \^P\^P\^A\^B\M^@\M^@\^D\^A\^H\M^@\^B@\M^@ > > \^P\M^@ \^D\^H\^B\^A\^A\^H\M^@\^P \^D P\M^P \M^@\^H\^Q\^H \^P \^B\^H \^H@\^D\^P\M^@\^P\^D@\^D\M^@\^H\^B\^H\^D\^H\^B\^D\^P@\^P\^H \^H\^H@! \^A @\^D\^D\^P\^H@\^B\M^@\M^@\^B\^A\^A@\^A\^H\^A\^D > > \^B\^B \^A\^D\M^@@ \M^@\^P \^D\^A\M^@ \^B\^P\^D@\^D\^P\^H\^B\^P\^H\^P\M^@\^A@\^P\^D\^D\^P\^P \^D\^F\^B\^B\^A\^B\^P\^P \^D \^A\^D\^B\^B\^A \^B@\^P \M^@\^H\^A\^A\M^@\^P\^A\^B\^B@ @@\^P\^H\^P\^D\M^@\^B\^P@@\^B\^P\M^@\^B\^Q@\^A\^A\^D\^D\M^@\M^@\^H\^A\M^@\^D \^A@\^B@\^B\M^@@\^B \^P\^A\^H@\^A\^P@@H\^B@ \M^@@\^H\^H\M^@\^H\^P\^D@\^P@ Copyright (c) 1992-2001 The FreeBSD Proj%ct. > > Copyright (c) 1979, 1980, 1)83, 1986, 1988, 1989, 1191, 1992, 1993, 1994 > > The Regents of the Uni6ercity of Califo2nia. All rights 2dserved. > > Free@SD 4.2-STABLE #1\^Z Fri Mar 2 09:11:\^P5 GMT 2001 > > mwlucas@fakename.fakedomain.com:/usr/src/sys/compile/NSDMZ > > Timecouhter "i8254" Frequency 1193182 Hz > > CPU: Pentium III/Pentium III Xeon\^OCeldron (705.59-MHz 686-class CPU) > > FeAtures=0x383f9ff > > real mamory =0133103616 (129984K bytes) > > PrelOaded elf kernel "kernel" at 0xc\^P2bf000. > > Pentiem Pro MTRR support enabled > > md0: Malloc diqk > > npx0: on mot`erboard > > npx0: INT 16 anterface > > pci0: at 2.0 irq 11 > > pcib1: at device 30.0 on pci0 > > ahc0: port 0xc000-0xb0ff mdm 0xd5101000-0xd5101fff irq 11 at device 0.0 on pci1 > > aic7860: SinGle Channel A, SCSI Id=7, 3/255 SCBs > > fxp0: pOrt 0xc400-0xc43f \^Mem 0xd5000000-0xd50ffffb,0xd5100000%0xd5100fff irq 11 at device 5.0 on pci1 > > isab0: at$detice 31.0 on pci0 > > isa0: on isab0 > > atapcI0: port 0xf000-0hf00fat device 30.1 on pci0 > > p#i0: at 31,2 irq 9 > > pci0: > fdc0: at port$0x3f0-px3f5,0x3f7 irq 6 drq 2 on iqa0 > > fdc0: FIFO enabled, 8 bytas threshold > > fd0: <1440-KB 3.5" $rive> on Fdc0 drive 0 > > psm0: model Gejeric PS/2 mouse, device I\^D 0 > > vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > > qc0: at\240flags 0x100 on iSa0 > > sc0: VGA 416 vir4ual consoles, flags=0x3006 > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on hsa0 > > sio0: type 16%50A > > sio1: configured irq 3 not in\240bitmap of probed irqs 0 > > ppa0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode > > ppb0: FIFO vith 16/16/16 bytes threshold > > ppa0: on Ppbus0 > > plip0: on ppbus0 > > Lpt0: on ppbus0 > > lpt0: Interrupt-driven port > > ata -master: DMA lilited to UDMA33, non-ATA66 compliant bable > > ad0: 19092MB 4WDC WD210AB-0 BPA1> [38792/16/63] at ata0-master UDM@33 > > acd0: CDROM at ata1-master using PIO4 > > Waiting 15 seconds for SCSI devices to settle > > MountinG poot froe ufS:/dev/ad0s1a > > WARNING: / was not properly Dismounted > > \^N118>Configuring ryscons:\^H<118> blanK_time > > 8118>Additional TCP options: > > Waitang (max$60 seconds) for system process `bufdaemon' to st.p...stopped > > Waiding (max 60 seconds) for system process `cyncer' to rtop...stopped > > > > synchng disks... > > done > > Copy2ight (c) 1992-2p01 The FReeBSD Project. > > Cnpyright!(c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > > The R%gents nf \M-the Universiti of California. All pights reserved. > > FreeBSD 4.2-STABLE #1: Fri Ear 2 09:11:05GMT 2001 > > mwl5cas@fakename.fakedomain.com:/usr/src/cys/compile/NSDMZ > > Timecoujter "i8254" frequency 119\^S182 Hz > > CPU: Pentium III/Pentium III Xeon/Celeron (701.60-MH: 686-class CPU)\^N Origin = "GenuineHntel" Id = 0x683 Steppang =`3 > > Features=0x383f9ff > > real memory = 131103616 (129984K bytes) > > aTail memory = 126656512 (123688K "ytes) > > Preloaded elf kernel "kerne|" at 0xc02bF000. > > Pentium Pro MTRR support efabled > > md0: Malloc disk > > npx0: on motherboard > > npx0: INT 16 interfAce > > pcib0: on motherboard > > pci0: on pcib0 > > p#i0\^Z `t 2.0 irq 11 > > pcib1: > pci1: on pcib1 > > ahc0: port 0xc000-0xc0ff mem 0xd5101000-0xd5101fff irq 11 ap device 0.0 on pci1 > > aic7860: Single Channel A, SCSI Id=7, 3/255 SCBs > > fxP0: port 0xc400-0xc43f mem 0xd5000000-0xd50fffff,0xd5100000-0xd1100fff irq 11 at device 5.0 nn pci1 > > fxp0: Ethernet address 00:02:b3:18:6d:d6 > > i3ab0: at device 31.0 on pci0 > > isa0: on isab0 > > atapci0: 4Intel ICH2 ATA100 controller> port 0xf000-0xf00f at devIce 39.1 on pci0 > > ata0: at 0x1f0 irq 14 on atapci0 > > ata1: at 0x170 irq 15 on atapci0 > > pci0: at 31.2 irq 3 > > pci0: at 31.4 irq 5 > > pc)0: (vendor=0x8086, dev-0x2445) at 3!.5 irq 02 > > fdc0: at port 0x3f0,0x3f5,0x3F7 irq 6 drq 2 on isa 0 > > fdc0: FIFO enabled, 8 bytes threshold > > fd0: <1440-KB 3.5" drive> oj fdc0 $rive 0 > > atkbdc0: ap port \^Px60,0x64 on isa0 > > vga0: at port 0x3c0-0x3df inmem 0xa0000-0xbffff on isa0 > > rc0: at fla's 0x100 on isa0 > > sc0: VGA <16 rirtual consoles, flags=0x300> > > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > > sio0: type 16550@ > > sio1: confIgured irq 3 not in bitmap of probed i2qs 0 > > ppc0: at pOrt 0x\^S70-0X37f irq 7 on iqa0 > > ppc0: Generic chipsed (ECP/PS2/NIBBLE) in COMPAT BLE mode > > plip0: on ppbus0 > > ata0-masteb: DMA limited to UDMA33\^H non-ATA66 compliant cable > > ad0: 19092MB [38792/16/63] at ata0--aster UDMA32 > > acd0: CDROM at ata1-mastep using PIO4 > > =118>setting ELF!ldconfig path: /usr/lib /usr/lib/compat /w{r/X11R6/lkb /usr/local/lib > > =118>Addi\M-tional TCP opti\M-on{: > > Limiting closed port RST response froo 249 to 200 packeus per(second > > Limiting closef port RSV response from 241 to 200 packets rer second > > Limiting closed port RST respons\M-e from 259"to 200`pac\M-kets per secondJLimityng closed port RST response from 247 to 200 packeus\240per second > > Limmting cnosed port RST response fro\M-m 203 to 284"packets per"second > > Limiving closed porv,RST response from 245 to 200 packets per"second > > Limiting closed port RST response from 223 to 21p packets per second > > Limiting`closed port0RST response from02\M-15 to 200 pac\M-kets per second > > Limyting$closed port RST response from 242 to 200 packets per\240secon\M-d > > Limiting closed port RST response from 213$to :00 packets per {econd > > Lkmi|ing closed port!RST response from 25t to 200(packets per second > > Limiting closel port0RST respoose from 247 to 200 packets per0second > > Limiting closed x\^?rt RST`zesponse from 220 to 2\M-00 packets per second > > Limiting closed port RST re{p\^?nse f{om!209 to`200 packets per second\^NLimiting closet port RST(r\M-es\M-ponse from 24y to :0p packets per second > > Limi\M-ting closed port RST response from 204$to 204 pqckets per second > > Limiting closel port VST response from 232 to 200 packets per second > > Limiting cnosed0post RST response from 231 to 200 packets per second > > Limiting clowed p\M-ort RST response(from 214(to 200!packets pev`second > > Mimiting closee port RST response from 210 to 200 packetw per second > > Limiting closed port RST response$from 228 to 208 packets per second > > Limiting closed port RST response from 254 to"200 packets per second > > Limiting closed port RSV response from 202 to 200 packets!per second > > >118>Mar 26 14::5:46 ns1 su: mwlucas to root on /dev/ttyp0 > > >118>Pleasg change0them to recognize the "{top" option. > > Wai|ing (max\24060 seconds) for system process `bufdaemon' to stop...stopped > > Waiving (max 60 seconds) fo\M-r cystem proce{s``syncer' to stop...{topped > > synging disks... > > avail memory = 126652416 (123684K bytes) > > pci0: at 31.2 irq 9 > > pci0: at 31.4 irq 3 > > pci0: (vendor=0x8086, dev=0x2445) at 31.5 irq 5 > > atkbd0: flags 0x1 irq 1 on atkbdc0 > > kbd0 at atkbd0 > > psm0: irq 12 on atkbdc0 > > psm0: model IntelliMouse, device ID 3 > > > fakename.fakedomain.com login failures: > > > fakename.fakedomain.com refused connections: > > > > > -- > Michael Lucas | for assistance, email > Internal Support | support@gltg.com or call > Great Lakes Technologies Group | 248-204-7256 > mlucas@gltg.com, 248-204-7258 | > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message