[ale] Error messages

James Sumners james at sumners.ath.cx
Wed Mar 17 23:50:24 EST 2004


I suppose it really depends on how much time you have to throw at the problem.
It can take a LONG time to audit a system and make sure everything is kosher. It
is much quicker to pick up a Debian net install cd and reload.

On Wed, 17 Mar 2004 23:33:17 -0500
"Nick Travis" <lists at wormfishin.com> wrote:

> Now that I've been comprimised, is my only safe option to reinstall?  I
> assume something else could have been hidden somewhere for future use?
> 
> Nick
> 
> ----- Original Message -----
> From: "Stephan Uphoff" <ups at tree.com>
> To: "Atlanta Linux Enthusiasts" <ale at ale.org>
> Sent: Wednesday, March 17, 2004 7:17 PM
> Subject: Re: [ale] Error messages
> 
> 
> >
> > Time to re-install from scratch.
> > Looks like a rpc.statd exploit.
> > Is this a Redhat 6.2 system or older ?
> > ( http://www.securityfocus.com/bid/1480 )
> >
> > Use a firewall !
> >
> > Stephan
> >
> > Nick Travis wrote:
> > > I got an email from my ISP today saying that they think I have a virus
> on my
> > > network, The public IP address that they saw the traffic on is a linux
> > > webserver(running red hat), I checked out my /var/log/messages and this
> is
> > > what I found:
> > > Mar 15 04:02:00 web anacron[3212]: Updated timestamp for job
> `cron.daily' to
> > > 2004-03-15
> > > Mar 16 04:02:01 web anacron[3732]: Updated timestamp for job
> `cron.daily' to
> > > 2004-03-16
> > > Mar 16 06:09:49 web rpc.statd[362]: gethostbyname error for
> > > ^X???^X???^Y???^Y???^Z???^Z???^[???^[???bffff750 8049710 8052c1868746567
> > > 6274736f6d616e797265206520726f7220726f66
> > >
> > >     bffff718
> > >          bffff719  bffff71a
> > >
> > > bffff71b~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > >
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > >
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > >
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > >
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> > > Mar 16 06:51:26 web kernel: linsniffer uses obsolete
> (PF_INET,SOCK_PACKET)
> > > Mar 16 06:51:26 web kernel: eth0: Promiscuous mode enabled.
> > > Mar 16 06:51:26 web kernel: device eth0 entered promiscuous mode
> > > Mar 16 09:37:37 web kernel: neighbour table overflow
> > > Mar 16 09:37:37 web last message repeated 9 times
> > > Mar 16 09:38:37 web kernel: NET: 253 messages suppressed.
> > > Mar 16 09:38:37 web kernel: neighbour table overflow
> > > Mar 16 09:38:39 web last message repeated 9 times
> > > Mar 16 09:38:45 web kernel: NET: 220 messages suppressed.
> > > Mar 16 09:38:45 web kernel: neighbour table overflow
> > > Mar 16 09:38:47 web kernel: NET: 962 messages suppressed.
> > > Mar 16 09:38:47 web kernel: neighbour table overflow
> > > Mar 16 09:38:52 web kernel: NET: 3353 messages suppressed.
> > > Mar 16 09:38:52 web kernel: neighbour table overflow
> > > Mar 16 09:38:57 web kernel: NET: 3638 messages suppressed.
> > > Mar 16 09:38:57 web kernel: neighbour table overflow
> > > Mar 16 09:39:02 web kernel: NET: 3482 messages suppressed.
> > > Mar 16 09:39:02 web kernel: neighbour table overflow
> > > Mar 16 09:39:07 web kernel: NET: 3524 messages suppressed.
> > > Mar 16 09:39:07 web kernel: neighbour table overflow
> > > Mar 16 09:39:12 web kernel: NET: 3526 messages suppressed.
> > > Mar 16 09:39:12 web kernel: neighbour table overflow
> > > Mar 16 09:39:17 web kernel: NET: 3525 messages suppressed.
> > >
> > > I continued getting these messages every 5 seconds until 3:30pm on the
> 16th
> > > and it suddenly stopped.  Has anyone seen this before?  According to the
> log
> > > file the last time someone logged in was the 14th, which was me, and I'm
> the
> > > only one with access to the system.  My ISP gave me the following log:
> > >
> > > Time Zone: UTC
> > >
> > > Event Date Time, Destination IP, IP Protocol, Target Port, Issue
> > > Description, Source Port, Event Count
> > >
> > > EventRecord: 16 Mar 2004 20:01:47, 10.1.x.x, 6, 111, RPC Exploits, 3990,
> 1
> > >
> > > EventRecord: 16 Mar 2004 19:59:28, 69.162.x.x, 6, 111, RPC Exploits,
> 4699, 1
> > >
> > > EventRecord: 16 Mar 2004 19:57:50, 69.162.x.x, 6, 111, RPC Exploits,
> 4766, 1
> > >
> > > EventRecord: 16 Mar 2004 19:26:16, 69.140.x.x, 6, 111, RPC Exploits,
> 4730, 1
> > >
> > > EventRecord: 16 Mar 2004 18:05:04, 69.81.x.x, 6, 111, RPC Exploits,
> 3428, 1
> > >
> > > EventRecord: 16 Mar 2004 16:53:43, 69.40.x.x, 6, 111, RPC Exploits,
> 3267, 1
> > >
> > > EventRecord: 16 Mar 2004 15:19:00, 69.22.x.x, 6, 111, RPC Exploits,
> 3433, 1
> > >
> > > Any thoughts would be greatly appriciated.
> > >
> > >
> > >
> > > Nick
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> 
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> If you have any questions please contact nick at precisionmillworks.com
> Mailscanner thanks transtec Computers for their support.
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


-- 

I used to be interested in Windows NT, but the more I see of it the more it
looks like traditional Windows with a stabler kernel. I don't find anything
technically interesting there. In my opinion MS is a lot better at making money
than it is at making good operating systems.  -- Linus Torvalds



More information about the Ale mailing list