[H-GEN] Debian v Mandrake

Greg Black gjb at humbug.org.au
Thu Mar 21 02:04:12 EST 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

Robert Kearey wrote:

| Anthony Towns wrote:
| 
|  >> Sure, but its still a problem with the application, not the OS.
|  >> Flaws that are specific to an OS are rare
| 
| > Yeah, but _attacks_ that are specific to an OS aren't, and attacks are
| > what you can log, and what Greg was claiming to be logging. Which seems
| > pretty fair. (Although identifying the OS that's being targetted is
| > probably a fair chunk harder than identifying the app. 
| 
| That'd be the job of an IDS like Snort - Greg didn't mention what he was 
| running to be able to finger individual attacks.

The process of identifying specific attacks is complex and there
are many approaches that can usefully be applied.  Tools like
snort (and several other similar utilities) are very helpful; a
lot can be learned with tcpdump/ethereal; nothing beats good old
experience when reading logs that are generated by any sensibly
setup system.

The exploit I referred to earlier today has a clear signature in
the logs.  Here's one log line:

>>>
Mar 21 02:12:40 <daemon.err> bambi rpc.statd: invalid hostname to sm_stat: ^X^X^Z^Z%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hnM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^!
PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
>>>

Everything between the two lines with ">>>" is on a single line,
regardless of what any intervening mailers might have done with
it.

As it happens, the OS that logged that line is not bothered by
the intruder and just logs the invalid hostname.  For anybody
who has seen this once, the signature is unmistakable.  And for
anybody with a vulnerable system, it's bad news.

Logs are full of other interesting data.  For example, my http
server's logs have lots of failed requests that are indicators
of various attempted exploits.  Here's an obvious one:

203.251.3.240 read ./www/scripts/Admin.dll: open failed: file does not exist

| BTW, if anybody here know someone who is complicit in the current spate 
| of oz.org DoS attacks, please kill them where they stand, right now. 

Excellent proposal.

| It's for the greater good. R3sp3k must be earned by creating, not 
| destroying.

Indeed.

Greg

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list