[Dshield] buffer overflow?

Clint Byrum cbyrum at erp.com
Fri Nov 16 03:22:24 GMT 2001


On Fri, Nov 16, 2001 at 01:33:52AM +0100, Keith Smith wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > > Nov 14 20:43:31 hostname SERVER[4302]: Dispatch_input: bad
> > > request line
> > >
> > >'BB????????XXXXXXXXXXXXXXXXXX%.172u%300$n%.17u%301$n%.253u%302
> > > $n%.192u%303$n
> > > ....
> >
> > Did you capture any commands starting with 'UFU'? If so,
> > please forward
> > the URL is sends off list. I also got a little perl honeypot
> > to capture
> > just these sub7 probes in case yours doesn't do the initial dialog.
> 
> 
> I'm not so sure that it's Sub7, the "SERVER[4302]" string in the log
> looks like a host and port number - rather than a host and process
> ID.  Especially when Google turned up the following for "port 4302":
> 

I thought they were just masking what the real log line said. It
looks perfectly well like a line from a process on unix/linux. They
just didn't want to share with all of us the hostname or srervice that
this happened on. Of course, that also disallows us from figuring out
what is going on.




More information about the list mailing list