Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Attack or not?
  • From: "Erwin Zierler - stubainet.at" <erwin.zierler@xxxxxxxxxxxx>
  • Date: Sun, 30 Dec 2001 11:38:48 +0100
  • Message-id: <3C2EEEB8.4010009@xxxxxxxxxxxx>
Hi all,

I have recently found the following lines in /var/log/messages on one of
my servers running SuSE 7.0, kernel 2.2.16, openssh-2.1.1p1-19:

Dec 28 09:21:10 server -- MARK --
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
[many many more of this]
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Dec 28 14:34:46 server syslogd 1.3-3: restart.

This server is connected to the internet via ADSL and sits behind a
Zyxcel Prestige 310 where port 22 is NATed to the server. This is
for remote administration - everything else on the Zyxcel is closed
to the outside world.

Looks to me like a buffer overflow with following crash, but then there
is this time gap between the long line of ^@'s and the server restart
09:21 - 14:34 which worries me. I have not reached anyone there so I'll
have to wait until next week to find out whether they maybe did a
hard-boot or something. last shows:
reboot system boot 2.2.16 Fri Dec 28 14:34 (1+20:48)
reboot system boot 2.2.16 Fri Dec 28 11:56 (1+23:26)

Checking the system with chkrootkit gave me only one wierd line:

Checking `wted'... 1 deletion(s) between Fri Dec 28 11:56:50 2001 and Fri Dec 28 11:56:50 2001

Anyway, I wonderd if anyone has seen something similar yet and if
I have to worry.

Thanks in advance for your input.
Erwin



< Previous Next >
Follow Ups