bcassadySLIP-3.SLIP.NET

• Next message: Erich Meier: "Re: syslogd exploit? (fwd)"
• Previous message: Imran Ghory: "Re: what are these?"
• Next in thread: Erich Meier: "Re: syslogd exploit? (fwd)"
• Reply: Erich Meier: "Re: syslogd exploit? (fwd)"
• Reply: Jeffrey F. Lawhorn: "Re: syslogd exploit? (fwd)"
• Reply: Pavel Kankovsky: "Re: syslogd exploit? (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- Forwarded message ----------
From: Elias Levy <aleph1SECURITYFOCUS.COM>
Date: Mon, 20 Mar 2000 20:56:24 -0800
Subject: Bounced: syslogd exploit?

This message is more appropiate for the incidents mailing list at
incidentssecurityfocus.com.

Return-Path: <owner-bugtraqsecurityfocus.com>
Delivered-To: bugtraqlists.securityfocus.com

v 0.1.3.

This is log of incident where entire partition containing home directory
was wiped.

A couple weeks prior to this incident, syslogd crashed, ps showed it
running but it was not really logging.
After killing and restarting it resumed normal behavior.

Why was amd trying to remount something? what?

A knowledgeable friend suggested that entry could have been made through
syslogd.

But we'll never know, right?

-Bill Cassady

--------------F1AD4209347C117453FFE573
Content-Type: text/plain; charset=iso-8859-1; name="crash"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; filename="crash"

Mar 16 09:32:24 osiris pppd[433]: Serial connection established.
Mar 16 09:32:25 osiris pppd[433]: Using interface ppp0
Mar 16 09:32:25 osiris pppd[433]: Connect: ppp0 <--> /dev/modem
Mar 16 09:32:28 osiris pppd[433]: local IP address 216.7.176.224
Mar 16 09:32:28 osiris pppd[433]: remote IP address 205.134.234.50
Mar 16 09:32:58 osiris pppd[433]: IPXCP: timeout sending Config-Requests
Mar 16 17:13:48 osiris =

Mar 16 17:13:49 osiris syslogd: Cannot glue message parts together
Mar 16 17:13:49 osiris 30>Mar 16 17:13:48 amd[136]: amq requested mount o=
f ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P^P^P^P^P^P^P^P^P^P^P^P
Mar 16 17:13:49 osiris p/h;/usr/sbin/inetd /tmp/h &#^PRr^??Rr^??Rr^??Rr^?=
?Rr^??
Mar 16 19:57:05 osiris PAM_pwdb[204]: (login) session opened for user bil=
l by (uid=3D0) =

Mar 16 20:02:29 osiris pppd[433]: Terminating on signal 2.
Mar 16 20:02:31 osiris pppd[433]: Terminating on signal 2.
Mar 16 20:02:31 osiris pppd[433]: Connection terminated.
Mar 16 20:02:31 osiris pppd[433]: Exit.

--------------F1AD4209347C117453FFE573--

----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/

• Next message: Erich Meier: "Re: syslogd exploit? (fwd)"
• Previous message: Imran Ghory: "Re: what are these?"
• Next in thread: Erich Meier: "Re: syslogd exploit? (fwd)"
• Reply: Erich Meier: "Re: syslogd exploit? (fwd)"
• Reply: Jeffrey F. Lawhorn: "Re: syslogd exploit? (fwd)"
• Reply: Pavel Kankovsky: "Re: syslogd exploit? (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]