OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: syslogd exploit? (fwd)
From: Erich Meier (Erich.MeierINFORMATIK.UNI-ERLANGEN.DE)
Date: Wed Mar 22 2000 - 02:54:06 CST

On Mon, Mar 20, 2000 at 10:29:38PM -0800, Bill Cassady wrote:
> ---------- Forwarded message ----------
> From: Elias Levy <aleph1SECURITYFOCUS.COM>
> Date: Mon, 20 Mar 2000 20:56:24 -0800
> Subject: Bounced: syslogd exploit?
>
> This message is more appropiate for the incidents mailing list at
> incidentssecurityfocus.com.
>
> Return-Path: <owner-bugtraqsecurityfocus.com>
> Delivered-To: bugtraqlists.securityfocus.com
>
> v 0.1.3.
>
> This is log of incident where entire partition containing home directory
> was wiped.
>
> A couple weeks prior to this incident, syslogd crashed, ps showed it
> running but it was not really logging.
> After killing and restarting it resumed normal behavior.
>
> Why was amd trying to remount something? what?
>
> A knowledgeable friend suggested that entry could have been made through
> syslogd.
>
> But we'll never know, right?

This looks to me as a more or less successfull amd exploit. Especially the
line with "inetd" looks suspicious.

If this is a linux box, you were probably running version "am-utils version 6.0
(build 6)" or less, which is vulnerable to a syslog (not syslogd!) overflow
attack.

I'd say your box was hacked.

Erich

> --------------F1AD4209347C117453FFE573
> Content-Type: text/plain; charset=iso-8859-1; name="crash"
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline; filename="crash"
>
> Mar 16 09:32:24 osiris pppd[433]: Serial connection established.
> Mar 16 09:32:25 osiris pppd[433]: Using interface ppp0
> Mar 16 09:32:25 osiris pppd[433]: Connect: ppp0 <--> /dev/modem
> Mar 16 09:32:28 osiris pppd[433]: local IP address 216.7.176.224
> Mar 16 09:32:28 osiris pppd[433]: remote IP address 205.134.234.50
> Mar 16 09:32:58 osiris pppd[433]: IPXCP: timeout sending Config-Requests
> Mar 16 17:13:48 osiris =
>
> Mar 16 17:13:49 osiris syslogd: Cannot glue message parts together
> Mar 16 17:13:49 osiris 30>Mar 16 17:13:48 amd[136]: amq requested mount o=
> f ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
> P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
> P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
> P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
> P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
> P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
> P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P=
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
> P^P^P^P^P^P^P^P^P^P^P^P^P
> Mar 16 17:13:49 osiris p/h;/usr/sbin/inetd /tmp/h &#^PRr^??Rr^??Rr^??Rr^?=
> ?Rr^??
> Mar 16 19:57:05 osiris PAM_pwdb[204]: (login) session opened for user bil=
> l by (uid=3D0) =
>
> Mar 16 20:02:29 osiris pppd[433]: Terminating on signal 2.
> Mar 16 20:02:31 osiris pppd[433]: Terminating on signal 2.
> Mar 16 20:02:31 osiris pppd[433]: Connection terminated.
> Mar 16 20:02:31 osiris pppd[433]: Exit.
>
> --------------F1AD4209347C117453FFE573--
>
>
> ----- End forwarded message -----
>
> --
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/ 

--
Erich Meier                              Erich.Meierinformatik.uni-erlangen.de
                                 http://www4.informatik.uni-erlangen.de/~meier/
 Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."