On Wed, Dec 05, 2001 at 11:30:57AM -0800, Blue Boar wrote: > Would you post that to the list too, please? sure ;-) I wrote: > > because originally the bug was simple > > if (cant_lookup_hostname(userdata)) { > syslog(userdata); > } > .. now they fixed it to be: > syslog("lookup screwed for: %s\n", userdata); > ... > > so you still seeing the hostname anyway, just since it isn't interpreted > as formatted string. the bug is gone. (of course I am not precise with > the code, it could be different, but the idea is here). > > On Wed, Dec 05, 2001 at 10:31:46AM -0800, Blue Boar wrote: > > I have a question. It may sound a bit more appropriate for Incidents, > > but keep reading. > > > > So, I'm running a Red Hat 7.1 box. I intentionally have many services > > running, but I applied all the patches from Red Hat during install, and > > I apply any new patches within a few hours of them coming out. I have > > this a few times in my messages file: > > > > rpc.statd[496]: gethostbyname error for > > ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > > > > This is fairly common from what I can see. Lots of people report this, > > and it appears that this is what you get after the patches have been > > applied, and the attack fails. This is the result of a standard exploit, > > and I believe also a worm based on that same exploit. There doesn't > > appear to be any evidence of a successful intrusion on my box. > > > > So my question is: If this is a patched version, why the heck is it > > trying to look up that name? I'm pretty sure that there > > isn't someone out there who has that as a reverse name for PTR > > records. > > > > Can anyone help clear up my confusion? Is this just a really bad > > patch, or is there still room for exploit, or is this the way > > it's supposed to work? > > > > BB > -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 12:38:40 PST