[prev in list] [next in list] [prev in thread] [next in thread]
List: suse-security
Subject: Attack or not?
From: "Erwin Zierler - stubainet.at" <erwin.zierler () stubainet ! at>
Date: 2001-12-30 10:38:48
[Download RAW message or body]
Hi all,
I have recently found the following lines in /var/log/messages on one of
my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19:
Dec 28 09:21:10 server -- MARK --
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
[many many more of this]
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Dec 28 14:34:46 server syslogd 1.3-3: restart.
This server is connected to the internet via ADSL and sits behind a
Zyxcel Prestige 310 where port 22 is NATed to the server. This is
for remote administration - everything else on the Zyxcel is closed
to the outside world.
Looks to me like a buffer overflow with following crash, but then there
is this time gap between the long line of ^@'s and the server restart
09:21 - 14:34 which worries me. I have not reached anyone there so I'll
have to wait until next week to find out whether they maybe did a
hard-boot or something. last shows:
reboot system boot 2.2.16 Fri Dec 28 14:34 (1+20:48)
reboot system boot 2.2.16 Fri Dec 28 11:56 (1+23:26)
Checking the system with chkrootkit gave me only one wierd line:
Checking `wted'... 1 deletion(s) between Fri Dec 28 11:56:50 2001 and
Fri Dec 28 11:56:50 2001
Anyway, I wonderd if anyone has seen something similar yet and if
I have to worry.
Thanks in advance for your input.
Erwin
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic