Re: Reboot in output from "last":

From: Carlos Moreno (moreno_at_mochima_dot_com@xx.xxx)
Date: 10/25/02 

From: Carlos Moreno <moreno_at_mochima_dot_com@xx.xxx>
Date: Thu, 24 Oct 2002 18:55:24 -0400

Tim Haynes wrote:

>
>>>/var/log/messages would be the first port of call - look for what happened
>>>right before the reboot.
>>>
>>Hmm, I see two of these in there:
>>
>>Oct 20 04:39:42 linuxserve rpc.statd[761]: gethostbyname error for
>>^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\
>>220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\

Arrrggghh, me too!! :-(

I just checked my RedHat 7.3 machine, and also found these logs!!! :-(

I just downloaded chkrootkit and everything checked out fine, except
*maybe* for the following. I'm not sure if this is still ok, but it's
the only thing different (everything else reports something including
the word "not", which I guess means that it's ok) :

Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.6.1/i386-linux/.packlist

Does this means that the .packlist file was found to be suspicious?
Should I delete it? Should I unplug my machine?? (right, of course
not -- otherwise I wouldn't be able to read your replies :-))

But anyway, I wonder, what exactly does the above \220 log message
mean? It is a known exploit, yeah, but is it an exploit that
succeeds on an out-of-the-box RH7.3 system? Or is it just an
attempt of buffer overflow that might have failed?

So, my question: is the above a hint of a harmless attempt of
exploiting some "unimportant" hole? Or are we talking about an
exploit with potentially serious consequences?

Thanks for any comments!

Carlos 

--

Loading