[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    Attack or not?
From:       "Erwin Zierler - stubainet.at" <erwin.zierler () stubainet ! at>
Date:       2001-12-30 10:38:48
[Download RAW message or body]

Hi all,

I have recently found the following lines in /var/log/messages on one of
my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19:

Dec 28 09:21:10 server -- MARK --
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
[many many more of this]
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Dec 28 14:34:46 server syslogd 1.3-3: restart.

This server is connected to the internet via ADSL and sits behind a
Zyxcel Prestige 310 where port 22 is NATed to the server. This is
for remote administration - everything else on the Zyxcel is closed
to the outside world.

Looks to me like a buffer overflow with following crash, but then there
is this time gap between the long line of ^@'s and the server restart
09:21 - 14:34 which worries me. I have not reached anyone there so I'll
have to wait until next week to find out whether they maybe did a
hard-boot or something. last shows:
reboot   system boot  2.2.16           Fri Dec 28 14:34         (1+20:48)
reboot   system boot  2.2.16           Fri Dec 28 11:56         (1+23:26)

Checking the system with chkrootkit gave me only one wierd line:

Checking `wted'... 1 deletion(s) between Fri Dec 28 11:56:50 2001 and 
Fri Dec 28 11:56:50 2001

Anyway, I wonderd if anyone has seen something similar yet and if
I have to worry.

Thanks in advance for your input.
  Erwin



[prev in list] [next in list] [prev in thread] [next in thread]