[Dshield] buffer overflow?

Johannes B. Ullrich jullrich at euclidian.com
Thu Nov 15 14:52:40 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Found these in my logs (copy/paste from vi).  Looks like a buffer overflow
> to get a shell attempt.  They are in repetitive groups and on each of my
> servers on one of my networks.  Anyone know this one in particcular and if I
> should be concerned?  What I don't know is what is SERVER here.
> 
> Nov 14 20:43:31 hostname SERVER[4302]: Dispatch_input: bad request line
> 'BBì¿í¿î¿ï¿XXXXXXXXXXXXXXXXXX%.172u%300$n%.17u%301$n%.253u%302$n%.192u%303$n
...

Yes. This is a classic buffer overflow. Any idea which port it is coming 
in on? the label 'SERVER' depends on your local setup.

> I also run a bunch of homebuilt fake logging daemons on many trojan ports
> and found on this same network a lot of activity on port 27374 starting a
> couple days ago.

Did you capture any commands starting with 'UFU'? If so, please forward 
the URL is sends off list. I also got a little perl honeypot to capture 
just these sub7 probes in case yours doesn't do the initial dialog.



- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE789a6VOIizK5pIDMRAqMSAKCGEzdhy73Pf+uwwOw2dxwHv3mZ/gCeJ1hc
CYrKyevdokAzH5T9gu+cEvY=
=3r3k
-----END PGP SIGNATURE-----




More information about the list mailing list