Re: [PLUG] hacking attempt

sean finney on Wed, 2 Oct 2002 20:03:09 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] hacking attempt

From: sean finney <seanius@seanius.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] hacking attempt

Date: Wed, 2 Oct 2002 20:02:43 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.2.5i

On Wed, Oct 02, 2002 at 07:06:12PM -0400, Fred K Ollinger wrote: > This looks like a nasty buffer overflow attempt. yeah, kinda does... > How do I get more information about this? What do I do next? well, i think for starters, look in your /var/log/* for the previous hour or so for any other strange activity. specifically, look for evidence of port scanning (chances are they scanned you before trying to hit you). specifically, if statd reports anything wierd (like connection hangups after no data being sent), but also other services may have similar reports. for example, if you got portscanned by someone who didn't care enough to be covert about things, sshd would say something like: Oct 2 19:52:10 toy sshd[5399]: refused connect from <address> or Oct 2 19:52:18 toy sshd[5401]: Did not receive identification string from <address> also, were there any messages from statd after that? segmentation fault? did it restart? in the worst case scenario, that they've broken in and know what they're doing, you've already lost, because they could have edited logfiles, inserted trojans, et c. > Did they get in? How do I know. well i remember a report on bugtraq a while back about rpc.statd, though i think it may have only been for solaris. check security advisories for your distribution, and in the case of redhat, try running up2date and see if they say anything about a new version. it's also possible that this is not a hack attempt at statd, but at your dns resolving libraries, which did very recently have a pretty nasty bug reported. > Is there someway to find out who did this? well, if they didn't break in, it's probably in your logs, if they did, one way is to transparently put something else between your box and the outside world and watch incoming traffic for the person to be coming back. you can't rely on anything done on the box in question. > The server is running stock rh7.3. This is obviously an nfs hack attempt. then the question i have is: why are you making this service available to the outside world in the first place? hth --sean
Attachment: pgpl9Be0vyY8e.pgp
Description: PGP signature

References:

[PLUG] hacking attempt
From: Fred K Ollinger <follinge@sas.upenn.edu>

Prev by Date: [PLUG] Taking Credit Cards from a Website

Next by Date: Re: [PLUG] hacking attempt

Previous by thread: [PLUG] hacking attempt

Next by thread: Re: [PLUG] hacking attempt

Index(es):

Date

Thread