[ale] hack attempt?

Bob bob at cavu.com
Mon Nov 22 13:03:34 EST 1999


> Date: Thu, 18 Nov 1999 21:31:29 -0500
> From: Wandered Inn <esoteric at denali.atlnet.com>
> Organization: Nocturnal Aviation Software Design
> To: ale <ale at ale.org>
> Subject: [ale] hack attempt?

> I had an unusual entry in one of my log files and was wondering if there
> is a buffer overflow issue with mountd.  Found the following:

> Nov 18 20:51:33 denali mountd[291]: Unauthorized access by NFS client
> 142.169.160.58

> and the ip is resolvable, to an entry from quebectel.com.

> Obviously, the access was denied, but the message above was followed by
> some garbage.  A bunch of ^P and other stuff that looked like line
> noise.

> The message attempts to indicate what was being mounted, but that's when
> the garbage comes in.

> Anyone seen anything like this?
> --
> Until later: Geoffrey		esoteric at denali.atlnet.com

Yes, I have seen where it succeeded and where it failed.  If you are running
a version of Red Hat older than RH5.2, YOU HAVE BEEN CRACKED!!!  The fact
that the log claims that access was denied is irrelevant!!!

If you fit these parameters then you need to assume that any file has been
modified on your system or copied off of your system.  GNU tar has a
"compare" feature that lets you compare your disk to a backup tape.
You then could do a find -atime to find all files on your system that
GNU did not find matching files on the tape of.

In the case where they broke in to one of my RH5.1 systems all they did
was use it for a IRC site for a bit.

For those with older systems, installing the RH5.2 mountd (or turning off
mountd and nfsd) will protect against this exploit.

Bob Toxen
bob at cavu.com
http://www.cavu.com
http://www.cavu.com/sunset.html   [Sunset Computer]
Fly-By-Day Consulting, Inc.       "Don't go with a fly-by-night outfit!"

Failure is not an option!
It comes bundled with all Microsoft products (in my opinion).
"Linux, a better way to go!"






More information about the Ale mailing list