[lug] possible intrusion
Deva Samartha
blug-receive at mtbwr.net
Thu Jul 19 13:21:04 MDT 2001
Looks like they are not getting in - unless they get in, deliver a
gift and then go on - this I have not checked yet since I am not
able to identify the shell/buffercode yet. The package would have been
overwritten 30 x or so, by now.
The incoming data is 4 .. 10 k in packets and outgoing it's
anywhere from 50 .. 100 k response of the server. They connect
once and are never seen again. All happens within seconds.
Maybe they are picking something up?
I checked into one source and there I could overwrite the
IP number of the router with a wide open web interface, look at
connection times etc.
(I have not actually checked, if a different IP would have
been accepted, but the web interface was there and accessible ;-)
So, with this background - one can assume the system/LAN was compromised.
I was unable to contact the party.
Apache just gives out an error message:
"Client sent malformed Host header"
and give the 300 byte long NNNN code message in the log
I will email to security focus as suggested, because if nobody else
sees this kind of traffic, I could be compromised :-(
Thank you,
Samartha
>This may be of interest:
>http://www.astalavista.com/exploits/iis/buffer2.shtml
>http://www.eeye.com/html/Research/Advisories/AD20010618.html
>http://www.bhs.silesianet.pl/html/overflow_in_6.0.htm
>
>
>My guess is they are looking for MS IIS servers to root. If you are
>running any MS machines there with unpatched web server, they are
>probably gone.
>
>D. Stimits, stimits at idcomm.com
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list