You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Lazor, Ed" <EL...@providence.org> on 2002/03/11 19:26:11 UTC

log entry sign of hacker?

Anyone know what this is?  I've seen it showing in Apache's logs a few times
and I'm wondering what it is.  Thanks for any information you can help
provide in terms of what it is and what I can to make sure I'm protected.
-Ed


Mar  6 04:37:49 castle rpc.statd[757]: gethostbyname error for 
(÷ÿ¿(÷ÿ¿)÷ÿ¿)÷ÿ¿*÷ÿ¿*÷ÿ¿+÷ÿ¿+÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%252x%n%121x%n%10
x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220
 
****************************************************************************
This message is intended for the sole use of the individual and entity to
whom it is addressed, and may contain information that is privileged,
confidential and exempt from disclosure under applicable law.  If you are
not the intended addressee, nor authorized to receive for the intended
addressee, you are hereby notified that you may not use, copy, disclose or
distribute to anyone the message or any information contained in the
message.  If you have received this message in error, please immediately
advise the sender by reply email and delete the message.  Thank you very
much.                                                                       

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

AW: log entry sign of hacker?

Posted by Scaglione Ermanno <sc...@starnetone.de>.

you can find more informations here:
http://www.cert.org/incident_notes/IN-2000-10.html

-----Ursprüngliche Nachricht-----
Von: John Darin Holloway [mailto:jdholloway@blue.net]
Gesendet: Montag, 11. März 2002 20:13
An: users@httpd.apache.org
Betreff: Re: log entry sign of hacker?


Could be a buffer overflow attempt, but it doesn't have the tell-tale signs
an MS directed attack (looking for root.exe, MSADC/scripts directory).  The
gethostbyname error is interesting, possibly a bum c library?  Might try
recompiling/getting fresh binaries and see if the problem goes away.


John Darin Holloway
Bluegrass Network, LLC


----- Original Message -----
From: "Lazor, Ed" <EL...@providence.org>
To: <us...@httpd.apache.org>
Sent: Monday, March 11, 2002 01:26 PM
Subject: log entry sign of hacker?


> Anyone know what this is?  I've seen it showing in Apache's logs a few
times
> and I'm wondering what it is.  Thanks for any information you can help
> provide in terms of what it is and what I can to make sure I'm protected.
> -Ed
>
>
> Mar  6 04:37:49 castle rpc.statd[757]: gethostbyname error for
>
(÷ÿ¿(÷ÿ¿)÷ÿ¿)÷ÿ¿*÷ÿ¿*÷ÿ¿+÷ÿ¿+÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%252x%n%121x%n%10
>
x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220
>
>
****************************************************************************
> This message is intended for the sole use of the individual and entity to
> whom it is addressed, and may contain information that is privileged,
> confidential and exempt from disclosure under applicable law.  If you are
> not the intended addressee, nor authorized to receive for the intended
> addressee, you are hereby notified that you may not use, copy, disclose or
> distribute to anyone the message or any information contained in the
> message.  If you have received this message in error, please immediately
> advise the sender by reply email and delete the message.  Thank you very
> much.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: log entry sign of hacker?

Posted by John Darin Holloway <jd...@blue.net>.

Could be a buffer overflow attempt, but it doesn't have the tell-tale signs
an MS directed attack (looking for root.exe, MSADC/scripts directory).  The
gethostbyname error is interesting, possibly a bum c library?  Might try
recompiling/getting fresh binaries and see if the problem goes away.


John Darin Holloway
Bluegrass Network, LLC


----- Original Message -----
From: "Lazor, Ed" <EL...@providence.org>
To: <us...@httpd.apache.org>
Sent: Monday, March 11, 2002 01:26 PM
Subject: log entry sign of hacker?


> Anyone know what this is?  I've seen it showing in Apache's logs a few
times
> and I'm wondering what it is.  Thanks for any information you can help
> provide in terms of what it is and what I can to make sure I'm protected.
> -Ed
>
>
> Mar  6 04:37:49 castle rpc.statd[757]: gethostbyname error for
>
(÷ÿ¿(÷ÿ¿)÷ÿ¿)÷ÿ¿*÷ÿ¿*÷ÿ¿+÷ÿ¿+÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%252x%n%121x%n%10
>
x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
>
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
> 20\220\220\220\220\220\220\220\220\220\220\220\220\220
>
>
****************************************************************************
> This message is intended for the sole use of the individual and entity to
> whom it is addressed, and may contain information that is privileged,
> confidential and exempt from disclosure under applicable law.  If you are
> not the intended addressee, nor authorized to receive for the intended
> addressee, you are hereby notified that you may not use, copy, disclose or
> distribute to anyone the message or any information contained in the
> message.  If you have received this message in error, please immediately
> advise the sender by reply email and delete the message.  Thank you very
> much.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org