[Dshield] buffer overflow?

ALEPH0 aleph0 at pacbell.net
Fri Nov 16 15:11:20 GMT 2001


> > > Nov 14 20:43:31 hostname SERVER[4302]: Dispatch_input: bad
> > > request line
> > >
> > >'BB????????XXXXXXXXXXXXXXXXXX%.172u%300$n%.17u%301$n%.253u%302
> > > $n%.192u%303$n
> > > ....
> >
> > Did you capture any commands starting with 'UFU'? If so,
> > please forward
> > the URL is sends off list. I also got a little perl honeypot
> > to capture
> > just these sub7 probes in case yours doesn't do the initial dialog.
>
>
> I'm not so sure that it's Sub7, the "SERVER[4302]" string in the log
> looks like a host and port number - rather than a host and process
> ID.  Especially when Google turned up the following for "port 4302":
>

I thought they were just masking what the real log line said. It
looks perfectly well like a line from a process on unix/linux. They
just didn't want to share with all of us the hostname or srervice that
this happened on. Of course, that also disallows us from figuring out
what is going on.

There were two separate things here.  I was secondarily relating the sub7
hits.  But that was unrelated to the buffer overflow attempt activity noted
from the messages file.  I did mask off the hostname.  But SERVER was
exactly as in the file originally.  I had not seen that before and did not
see where it comes from (looked in lib files and some RH7 source, but not
exhaustively).  Always see the predictable ones like CROND and know how they
obviously relate.

4302 is local and does not refer to the listening port, basically a random
socket/process number that is meaningless for any search.  But I thought
maybe some kinux source guru out there might know where the "SERVER" label
comes from and perhaps how to trace this further.  I would expect this is
some out-of-the-box, default logic event, but am not familiar with it.  It
is straight from the messages file, though, with only the real hostname
replaced by "hostname".





More information about the list mailing list