15 digit HEX string in /var/log/messages

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Feb 15 00:45:48 PST 2006 

Tom Nguyen wrote:
> Greetings all,
> 
> Running FreeBSD 5.4 stable on intel x86 platform. Need help in
> deciphering /figuring out what is the cause of strange 15 character HEX
> strings that is logging in /var/log/messages:
> 
> [...]
> Feb 14 13:11:39 hostx kernel: 3E0D0A3C6172656
> Feb 14 13:14:12 hostx kernel: 4163636570742D4
> Feb 14 13:14:19 hostx kernel: 69742532464C697
> Feb 14 13:14:26 hostx kernel: 4163636570742D4
> Feb 14 13:31:44 hostx kernel: 732E616861696E7
> Feb 14 13:32:31 hostx kernel: 415577426F41475
> Feb 14 13:32:31 hostx kernel: 415577426F41475
> Feb 14 13:33:40 hostx kernel: 2A0D0A416363657
> Feb 14 13:33:48 hostx kernel: 2E616861696E746
> Feb 14 13:33:49 hostx kernel: 736573736D656E7
> Feb 14 13:43:22 hostx kernel: 45414141412F2F2
> Feb 14 14:00:38 hostx kernel: 780D0A416363657
> Feb 14 14:02:45 hostx kernel: 0A200D0A09626F7
> Feb 14 14:13:19 hostx kernel: 70616765732F686
> Feb 14 14:39:10 hostx kernel: 64066FF3ED39E31
> Feb 14 14:47:57 hostx kernel: 414141414141414
> [...]
> 
> This has been occurring for several weeks now. First thought was some
> type of attack but our IDS doesn't pick up anything unusual.
> Google searches doesn't give any clues. Can anyone shed some light on this?

Those strings look like the hex encoded byte values of mostly ascii text.
You can convert them into something potentially readable by:

    % perl -le 'print pack ("C7", ("414141414141414" =~ m/../g ) ) ;'
    )))))))

However what comes out is not anything recognisable.  You might be able to
spot something within the larger quantities of data in your log files though.

I would hazard a guess here that what you are seeing is some one trying to
exploit a buffer overflow in some way.  The '4141414141' pattern is often
used as a marker to show what bits of the stack have been overwritten during
the initial attempts to develop an overflow.  The next stage would be to
inject shell code and together with something like overwriting part of the
stack frame so that a function call jumps to executing that code.  Voila,
machine hacked.

Of course, I could be wrong, and this all might have a completely innocent explanation. An in depth review of security would certainly be indicated
here though.  Check all of the software you're running against databases of
exploits such as VuXML (http://vuxml.freebsd.org/), Secunia (http://secunia.org/),
CVE (http://www.cve.mitre.org/).  Make sure all software is up to date. Turn
off anything you don't actually need to be running, and configure other
services not to listen on internet facing network ports if they don't need to
do that.  Use tcpdump or similar programs like ethereal to try and spot
unexpected network traffic.  Look for core files from daemon processes, and
examine them in a debugger -- sometimes you can tell that a process was crashed
by an overflow attempt. 

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060215/dabc1071/signature.bin

More information about the freebsd-questions mailing list