[ale] Error messages

Nick Travis lists at wormfishin.com
Wed Mar 17 23:36:37 EST 2004


Now that I've been comprimised, is my only safe option to reinstall?  I
assume something else could have been hidden somewhere for future use?

Nick

----- Original Message -----
From: "Stephan Uphoff" <ups at tree.com>
To: "Atlanta Linux Enthusiasts" <ale at ale.org>
Sent: Wednesday, March 17, 2004 7:17 PM
Subject: Re: [ale] Error messages


>
> Time to re-install from scratch.
> Looks like a rpc.statd exploit.
> Is this a Redhat 6.2 system or older ?
> ( http://www.securityfocus.com/bid/1480 )
>
> Use a firewall !
>
> Stephan
>
> Nick Travis wrote:
> > I got an email from my ISP today saying that they think I have a virus
on my
> > network, The public IP address that they saw the traffic on is a linux
> > webserver(running red hat), I checked out my /var/log/messages and this
is
> > what I found:
> > Mar 15 04:02:00 web anacron[3212]: Updated timestamp for job
`cron.daily' to
> > 2004-03-15
> > Mar 16 04:02:01 web anacron[3732]: Updated timestamp for job
`cron.daily' to
> > 2004-03-16
> > Mar 16 06:09:49 web rpc.statd[362]: gethostbyname error for
> > ^X???^X???^Y???^Y???^Z???^Z???^[???^[???bffff750 8049710 8052c1868746567
> > 6274736f6d616e797265206520726f7220726f66
> >
> >     bffff718
> >          bffff719  bffff71a
> >
> > bffff71b~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> >
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> >
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> >
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> >
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> > Mar 16 06:51:26 web kernel: linsniffer uses obsolete
(PF_INET,SOCK_PACKET)
> > Mar 16 06:51:26 web kernel: eth0: Promiscuous mode enabled.
> > Mar 16 06:51:26 web kernel: device eth0 entered promiscuous mode
> > Mar 16 09:37:37 web kernel: neighbour table overflow
> > Mar 16 09:37:37 web last message repeated 9 times
> > Mar 16 09:38:37 web kernel: NET: 253 messages suppressed.
> > Mar 16 09:38:37 web kernel: neighbour table overflow
> > Mar 16 09:38:39 web last message repeated 9 times
> > Mar 16 09:38:45 web kernel: NET: 220 messages suppressed.
> > Mar 16 09:38:45 web kernel: neighbour table overflow
> > Mar 16 09:38:47 web kernel: NET: 962 messages suppressed.
> > Mar 16 09:38:47 web kernel: neighbour table overflow
> > Mar 16 09:38:52 web kernel: NET: 3353 messages suppressed.
> > Mar 16 09:38:52 web kernel: neighbour table overflow
> > Mar 16 09:38:57 web kernel: NET: 3638 messages suppressed.
> > Mar 16 09:38:57 web kernel: neighbour table overflow
> > Mar 16 09:39:02 web kernel: NET: 3482 messages suppressed.
> > Mar 16 09:39:02 web kernel: neighbour table overflow
> > Mar 16 09:39:07 web kernel: NET: 3524 messages suppressed.
> > Mar 16 09:39:07 web kernel: neighbour table overflow
> > Mar 16 09:39:12 web kernel: NET: 3526 messages suppressed.
> > Mar 16 09:39:12 web kernel: neighbour table overflow
> > Mar 16 09:39:17 web kernel: NET: 3525 messages suppressed.
> >
> > I continued getting these messages every 5 seconds until 3:30pm on the
16th
> > and it suddenly stopped.  Has anyone seen this before?  According to the
log
> > file the last time someone logged in was the 14th, which was me, and I'm
the
> > only one with access to the system.  My ISP gave me the following log:
> >
> > Time Zone: UTC
> >
> > Event Date Time, Destination IP, IP Protocol, Target Port, Issue
> > Description, Source Port, Event Count
> >
> > EventRecord: 16 Mar 2004 20:01:47, 10.1.x.x, 6, 111, RPC Exploits, 3990,
1
> >
> > EventRecord: 16 Mar 2004 19:59:28, 69.162.x.x, 6, 111, RPC Exploits,
4699, 1
> >
> > EventRecord: 16 Mar 2004 19:57:50, 69.162.x.x, 6, 111, RPC Exploits,
4766, 1
> >
> > EventRecord: 16 Mar 2004 19:26:16, 69.140.x.x, 6, 111, RPC Exploits,
4730, 1
> >
> > EventRecord: 16 Mar 2004 18:05:04, 69.81.x.x, 6, 111, RPC Exploits,
3428, 1
> >
> > EventRecord: 16 Mar 2004 16:53:43, 69.40.x.x, 6, 111, RPC Exploits,
3267, 1
> >
> > EventRecord: 16 Mar 2004 15:19:00, 69.22.x.x, 6, 111, RPC Exploits,
3433, 1
> >
> > Any thoughts would be greatly appriciated.
> >
> >
> >
> > Nick
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
If you have any questions please contact nick at precisionmillworks.com
Mailscanner thanks transtec Computers for their support.



More information about the Ale mailing list