[Dshield] buffer overflow?
Johannes B. Ullrich
jullrich at euclidian.com
Thu Nov 15 14:52:40 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
> Found these in my logs (copy/paste from vi). Looks like a buffer overflow
> to get a shell attempt. They are in repetitive groups and on each of my
> servers on one of my networks. Anyone know this one in particcular and if I
> should be concerned? What I don't know is what is SERVER here.
> Nov 14 20:43:31 hostname SERVER: Dispatch_input: bad request line
Yes. This is a classic buffer overflow. Any idea which port it is coming
in on? the label 'SERVER' depends on your local setup.
> I also run a bunch of homebuilt fake logging daemons on many trojan ports
> and found on this same network a lot of activity on port 27374 starting a
> couple days ago.
Did you capture any commands starting with 'UFU'? If so, please forward
the URL is sends off list. I also got a little perl honeypot to capture
just these sub7 probes in case yours doesn't do the initial dialog.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list