[ale] hack attempt?
Robert L. Harris
nomad at rnd-consulting.com
Thu Nov 18 22:30:17 EST 1999
To any who care, based on something like this I started writing my own
Tripwire type tool. I'm still moving from flat files to dbm's as soon
as I figure them out. Once done with that, I want to find a way of
doing some sort of md5 against the files. In the mean time it will
tell you if any of the stats, outside atime, change and it runs on
my p166 on /sbin, /usr/sbin, /bin, /usr/bin, /usr/local/bin,
/usr/local/sbin and /etc in under 3 seconds, if you include the check
and rebuilding the databases.
If you're intersted in a copy let me know. I can mail it, or if you're
on IRC, I can dcc it to you.
Robert
Thus spake Wandered Inn (esoteric at denali.atlnet.com):
> I had an unusual entry in one of my log files and was wondering if there
> is a buffer overflow issue with mountd. Found the following:
>
> Nov 18 20:51:33 denali mountd[291]: Unauthorized access by NFS client
> 142.169.160.58
>
> and the ip is resolvable, to an entry from quebectel.com.
>
> Obviously, the access was denied, but the message above was followed by
> some garbage. A bunch of ^P and other stuff that looked like line
> noise.
>
> The message attempts to indicate what was being mounted, but that's when
> the garbage comes in.
>
> Anyone seen anything like this?
>
> --
> Until later: Geoffrey esoteric at denali.atlnet.com
>
> It should be illegal to yell "Y2K" in a crowded economy.
> -- Larry Wall, creator of the programming language Perl
---------------------------------------------------------------------------
Robert L. Harris | "A person is smart;
Senior System Engineer | People are dumb, panicky
R&D Consulting. \_ dangerous animals" - Agent K
http://www.rnd-consulting.com/~nomad
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
FYI:
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
More information about the Ale
mailing list