I'd like to know if the following is a kernel bug, possible
breakin attempt, syslog bug, or otherwise. I'm using a stock
unmodified 2.2.13 kernel with no patches, or external binary
modules, etc... The parts that appear suspicious to me are the
ones from "kernel: ME-enca", etc... and the hex bytes as well as
the HTML looking code. "ME-enca" looks like part of
"MIME-encapsulated" for example, and the alt="" and </TR> below
that look odd for the kernel to be reporting. What exactly is
this? Someone trying to exploit my apache?
Here is the example:
Dec 27 07:12:46 asdf PAM_pwdb[683]: (login) session opened for user mharris by LOGIN(uid=0)
Dec 27 07:12:52 asdf PAM_pwdb[680]: (login) session opened for user mharris by LOGIN(uid=0)
Dec 27 07:12:53 asdf in.identd[1070]: started
Dec 27 07:13:12 asdf in.identd[1222]: started
Dec 27 07:14:22 asdf kernel: ME-enca
Dec 27 07:14:28 asdf kernel: 3A 30 05:49:0
Dec 27 07:14:40 asdf kernel: 73 69 7A 65 3D 32 T size=2
Dec 27 07:20:02 asdf in.identd[1988]: started
Dec 27 07:39:42 asdf in.identd[2069]: started
Dec 27 07:42:59 asdf in.identd[2096]: started
Dec 27 07:46:16 asdf in.identd[2117]: started
Dec 27 07:52:48 asdf in.identd[2144]: started
Dec 27 07:56:05 asdf in.identd[2165]: started
Dec 27 08:18:51 asdf in.identd[2204]: started
Dec 27 08:22:07 asdf in.identd[2227]: started
Dec 27 08:28:38 asdf in.identd[2248]: started
Dec 27 08:35:08 asdf in.identd[2271]: started
Dec 27 08:38:37 asdf in.identd[2293]: started
Dec 27 08:45:10 asdf in.identd[3066]: started
Dec 27 08:52:33 asdf in.identd[3180]: started
Dec 27 08:55:05 asdf in.identd[3198]: started
Dec 27 08:55:20 asdf in.identd[3219]: started
Dec 27 08:56:15 asdf in.identd[3231]: started
Dec 27 08:56:30 asdf in.identd[3242]: started
Dec 27 08:57:26 asdf in.identd[3253]: started
Dec 27 08:57:48 asdf in.identd[3264]: started
Dec 27 08:58:42 asdf in.identd[3277]: started
Dec 27 09:00:39 asdf kernel: 61 6C 74 3D 22 22 6 alt=""
Dec 27 09:01:01 asdf kernel: A 3C 2F 54 52 3E D>.</TR>
Dec 27 09:02:12 asdf in.identd[3315]: started
Dec 27 09:02:19 asdf in.identd[3336]: started
Dec 27 09:05:35 asdf in.identd[3362]: started
Dec 27 09:08:52 asdf in.identd[3396]: started
Also, I've never seen the following - which are new:
Dec 28 01:17:21 asdf modprobe: can't locate module binfmt-00b0
Dec 28 01:17:21 asdf modprobe: can't locate module binfmt-00b0
-- Mike A. Harris Linux advocate Computer Consultant GNU advocate Capslock Consulting Open Source advocateJoin the FreeMWare project - the goal to produce a FREE program in which you can run Windows 95/98/NT, and other operating systems.
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jan 23 2000 - 21:00:29 EST