Strange syslog entry

Strange syslog entry

Post by Neil Duran » Mon, 02 Jul 2001 09:54:23



I occasionally get an entry in my /var/log/syslog along these lines:

Jul  1 01:43:34 nickel /sbin/rpc.statd[189]: gethostbyname error for
^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%
n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220
... (loads of repeated \220s)

Jul  1 01:43:34 nickel
^F/binF^D/shA0\210F^G\211v^L\215V^P\215N^L\211^K\200^A\200\177

Any ideas what it might mean?  I'm running Debian Potato.

Neil
--
===================================================================
Neil Durant

===================================================================

 
 
 

Strange syslog entry

Post by D. Stimit » Mon, 02 Jul 2001 14:42:27



> I occasionally get an entry in my /var/log/syslog along these lines:

> Jul  1 01:43:34 nickel /sbin/rpc.statd[189]: gethostbyname error for
> ^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%
> n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220
> ... (loads of repeated \220s)

> Jul  1 01:43:34 nickel
> ^F/binF^D/shA0\210F^G\211v^L\215V^P\215N^L\211^K\200^A\200\177

> Any ideas what it might mean?  I'm running Debian Potato.

> Neil
> --
> ===================================================================
> Neil Durant

> ===================================================================

I couldn't swear to it, but it looks something like an attempt at buffer
overflow. If your machine is connected to the Internet at the time it
occurs, you should consider firewalling your syslog port (along with
printer, rpc, dns, so on).



 
 
 

Strange syslog entry

Post by Gandalf Parke » Mon, 02 Jul 2001 23:17:04



> I occasionally get an entry in my /var/log/syslog along these lines:

> Jul  1 01:43:34 nickel /sbin/rpc.statd[189]: gethostbyname error for
> ^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%
> n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220
> \220\220\220\220\220
> ... (loads of repeated \220s)
> Jul  1 01:43:34 nickel
> ^F/binF^D/shA0\210F^G\211v^L\215V^P\215N^L\211^K\200^A\200\177

Its a buffer overload to rpc.statd

Seriously consider whether or not you have anything you need to run rpc.statd
for. For that matter run nmap against yourself and seriously consider whether
or not you need each of the services which show up. The less services, the
better. Especially for services you dont understand, never use, and therefor
would never upgrade.

Gandalf  Parker

 
 
 

Strange syslog entry

Post by Neil Duran » Tue, 03 Jul 2001 23:36:57




>> I occasionally get an entry in my /var/log/syslog along these lines:

>> Jul  1 01:43:34 nickel /sbin/rpc.statd[189]: gethostbyname error for
>> ^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%
>> n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220
>> \220\220\220\220\220
>> ... (loads of repeated \220s)
>> Jul  1 01:43:34 nickel
>> ^F/binF^D/shA0\210F^G\211v^L\215V^P\215N^L\211^K\200^A\200\177

>Its a buffer overload to rpc.statd

>Seriously consider whether or not you have anything you need to run rpc.statd
>for. For that matter run nmap against yourself and seriously consider whether
>or not you need each of the services which show up. The less services, the
>better. Especially for services you dont understand, never use, and therefor
>would never upgrade.

Thanks, I've closed down that service now and fixed a couple of other
holes in my firewall while I was at it.  Thanks for the info!

Neil
--
===================================================================
Neil Durant

===================================================================

 
 
 

Strange syslog entry

Post by D. Stimit » Wed, 04 Jul 2001 13:53:24





> >> I occasionally get an entry in my /var/log/syslog along these lines:

> >> Jul  1 01:43:34 nickel /sbin/rpc.statd[189]: gethostbyname error for
> >> ^X^X^Y^Y^Z^Z^[^[%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%
> >> n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220
> >> \220\220\220\220\220
> >> ... (loads of repeated \220s)
> >> Jul  1 01:43:34 nickel
> >> ^F/binF^D/shA0\210F^G\211v^L\215V^P\215N^L\211^K\200^A\200\177

> >Its a buffer overload to rpc.statd

> >Seriously consider whether or not you have anything you need to run rpc.statd
> >for. For that matter run nmap against yourself and seriously consider whether
> >or not you need each of the services which show up. The less services, the
> >better. Especially for services you dont understand, never use, and therefor
> >would never upgrade.

> Thanks, I've closed down that service now and fixed a couple of other
> holes in my firewall while I was at it.  Thanks for the info!

> Neil
> --
> ===================================================================
> Neil Durant

> ===================================================================

You may be interested in knowing that if your service was vulnerable
(meaning you see the symptoms, not necessarily whether it worked or
not), then getting a root kit installed would hide it, and probably
protect it against replacement (such as putting the real files for
secret control in other places that further package replacement won't
get to). If you have been rooted, you can't just close the holes, there
will then be secret holes and modified programs to hide it. It's
questionable whether closing the holes will do any good once a root kit
is in. On the other hand, if you know for a fact that your version of
whatever ran on the particular port (apparently rpc.statd) was up to
date at the time of attack, then it is unlikely you were actually
rooted; if you know it was an out of date version, even a little bit,
there is a strong chance you were rooted and normal lockdown procedures
won't help.


 
 
 

Strange syslog entry

Post by Neil Duran » Fri, 06 Jul 2001 04:58:52



Quote:>You may be interested in knowing that if your service was vulnerable
>(meaning you see the symptoms, not necessarily whether it worked or
>not), then getting a root kit installed would hide it, and probably
>protect it against replacement (such as putting the real files for
>secret control in other places that further package replacement won't
>get to). If you have been rooted, you can't just close the holes, there
>will then be secret holes and modified programs to hide it. It's
>questionable whether closing the holes will do any good once a root kit
>is in. On the other hand, if you know for a fact that your version of
>whatever ran on the particular port (apparently rpc.statd) was up to
>date at the time of attack, then it is unlikely you were actually
>rooted; if you know it was an out of date version, even a little bit,
>there is a strong chance you were rooted and normal lockdown procedures
>won't help.

Is there any reliable way to determine whether I've been rooted?

It's on a Debian stable system, and I do an apt-get update virtually
every day.  Would that be sufficient to get me security fixes to
packages?

Neil
--
===================================================================
Neil Durant

===================================================================

 
 
 

Strange syslog entry

Post by D. Stimit » Fri, 06 Jul 2001 06:30:16




> >You may be interested in knowing that if your service was vulnerable
> >(meaning you see the symptoms, not necessarily whether it worked or
> >not), then getting a root kit installed would hide it, and probably
> >protect it against replacement (such as putting the real files for
> >secret control in other places that further package replacement won't
> >get to). If you have been rooted, you can't just close the holes, there
> >will then be secret holes and modified programs to hide it. It's
> >questionable whether closing the holes will do any good once a root kit
> >is in. On the other hand, if you know for a fact that your version of
> >whatever ran on the particular port (apparently rpc.statd) was up to
> >date at the time of attack, then it is unlikely you were actually
> >rooted; if you know it was an out of date version, even a little bit,
> >there is a strong chance you were rooted and normal lockdown procedures
> >won't help.

> Is there any reliable way to determine whether I've been rooted?

> It's on a Debian stable system, and I do an apt-get update virtually
> every day.  Would that be sufficient to get me security fixes to
> packages?

> Neil
> --
> ===================================================================
> Neil Durant

> ===================================================================

There is "chkrootkit":
http://www.chkrootkit.org/

But it is only a partial test, it is not a guarantee by a long ways.
Some of the root kits do things like install a kernel module that lies
to apps doing checks, whether it is tripwire checking file sizes and
checksums (relabel them chucksums for posterity), or even the existence
of certain files and directories...meaning unmodified commands can be
made to lie through the kernel modules. And the kernel modules are
themselves invisible. What you should do is check the version number of
your program (portmap), and compare it to any security updates, e.g., if
it is redhat, check ftp://updates.redhat.com, and see if it has a newer
version listed. Also http://bugzilla.redhat.com, check that package.


 
 
 

Strange syslog entry

Post by Gandalf Parke » Wed, 11 Jul 2001 02:25:24



> Is there any reliable way to determine whether I've been rooted?

> It's on a Debian stable system, and I do an apt-get update virtually
> every day.  Would that be sufficient to get me security fixes to
> packages?

Other than the kernel thing already mentioned here are some quick checks for
other types of rootkits.

ls -blartR /dev | grep "^-"
(on some systems MAKEDEV will show up but if anything else does then ask
about it here)

Doing an ls -blart of certain directorys such as /bin, /sbin, /usr/sbin,
/usr/bin, /usr/local/bin. Anything recently changed by the more common (and
dumber) kits will show up at the end of the list. Programs like ifconfig,
ls, ps, find, netstat, login.

Doing an ls -blart of /etc on a regular basis isnt a bad idea. Learning to
recognize which things get updated regularly and which ones dont. If passwd,
inetd.conf, or rc directorys show activity you cant account for then check
them quick.

I also have my machines email me off system every time someone becomes root.
It sends me a netstat.  That way even if the logs are purged I know that
someone was in, when, and where from.

I have a number of checks like I mentioned above in my login script.
Whenever I login it checks for text files in /dev. And compares dates, or
sizes, or last line, in many of the more indicative files. All of the entrys
are designed to only show me something if its a mismatch so most of my
logins are alittle slower and then show me nothing but a prompt. But if they
do show me something, I can react.

Gandalf  Parker

 
 
 

Strange syslog entry

Post by Neil Duran » Wed, 11 Jul 2001 13:38:26




>> Is there any reliable way to determine whether I've been rooted?

>> It's on a Debian stable system, and I do an apt-get update virtually
>> every day.  Would that be sufficient to get me security fixes to
>> packages?

>Other than the kernel thing already mentioned here are some quick checks for
>other types of rootkits.

>ls -blartR /dev | grep "^-"
>(on some systems MAKEDEV will show up but if anything else does then ask
>about it here)

>Doing an ls -blart of certain directorys such as /bin, /sbin, /usr/sbin,
>/usr/bin, /usr/local/bin. Anything recently changed by the more common (and
>dumber) kits will show up at the end of the list. Programs like ifconfig,
>ls, ps, find, netstat, login.

>Doing an ls -blart of /etc on a regular basis isnt a bad idea. Learning to
>recognize which things get updated regularly and which ones dont. If passwd,
>inetd.conf, or rc directorys show activity you cant account for then check
>them quick.

>I also have my machines email me off system every time someone becomes root.
>It sends me a netstat.  That way even if the logs are purged I know that
>someone was in, when, and where from.

>I have a number of checks like I mentioned above in my login script.
>Whenever I login it checks for text files in /dev. And compares dates, or
>sizes, or last line, in many of the more indicative files. All of the entrys
>are designed to only show me something if its a mismatch so most of my
>logins are alittle slower and then show me nothing but a prompt. But if they
>do show me something, I can react.

Thanks for the suggestions/tips.  Doing ls -blartR on the various paths
where executibles lie doesn't seem to bring up anything of concern.
Nothing came with /dev, and very few files in the other paths were
updated within the last 3-4 months, so I guess I'm ok!

I now have logcheck running to check my /var/log/syslog entries, and it
emails me whenever anything remotely dodgy appears (including root
logins).

I think I got away with it this time.  This whole episode has forced me
to learn about ipchains properly and set up my box a little better. I've
also run various website firewall-checking tools against my box, and it
seems ok!

Thanks for everyone's suggestions!

Neil
--
===================================================================
Neil Durant

===================================================================

 
 
 

Strange syslog entry

Post by Gandalf Parke » Fri, 13 Jul 2001 02:50:38



> Thanks for the suggestions/tips.  Doing ls -blartR on the various paths
> where executibles lie doesn't seem to bring up anything of concern.
> Nothing came with /dev, and very few files in the other paths were
> updated within the last 3-4 months, so I guess I'm ok!

Not completely. Some kits unpack and maintain their own dates. But then they show
up as different than everything else in the directory. Sometimes you will even
get a hacker instead of a cracker, and they will "touch" the files to the same
date as the other files. But not often. These checks catch about 85% of what Ive
seen.

Quote:> I now have logcheck running to check my /var/log/syslog entries, and it
> emails me whenever anything remotely dodgy appears (including root
> logins).

Sometimes logchecks are too late. And did you write it yourself or using a
downloaded thing? The more people that use something the more likely a check for
it will be added to the kits.

Consider this as a really simple backup.
The /etc directory has default login files for each shell. They usually have some
check in them for the lower logins (root, lp. bin,sys, daemon) in order to set
the mask different. Add a line there to

Gandalf  Parker

 
 
 

Strange syslog entry

Post by Neil Duran » Fri, 13 Jul 2001 13:28:34




>> I now have logcheck running to check my /var/log/syslog entries, and it
>> emails me whenever anything remotely dodgy appears (including root
>> logins).

>Sometimes logchecks are too late. And did you write it yourself or
>using a downloaded thing? The more people that use something the more
>likely a check for it will be added to the kits.

I'm using the logcheck that comes with Debian Potato, so I guess that's
quite well known by the crackers...

>Consider this as a really simple backup. The /etc directory has default
>login files for each shell. They usually have some check in them for
>the lower logins (root, lp. bin,sys, daemon) in order to set the mask


Thanks, I'll give that a go.

Neil
--
===================================================================
Neil Durant

===================================================================