/var/adm/messages

finster · December 16, 2003, 12:35pm

Check message file and result posted below.
Can anyone tell me what this is a sign of, what does it mean?

server1% more messages.0
Dec 02 09:35:06 server1 bsd-gw[25101]: [ID 315218 lpr.error] Inval
id protocol request (65): AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA^\\2
00�w\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220�^C]�^E�����\203�^U\220\220\220\
213�3�f�^P^CP\2000\227@��~\216\225\227\227�^\M^T|\220�h��6\227\227\227\227��^^�\
227\227\227\227�L,\227\227w�^?K\226\227\227^Vl\227\227h(\230^TY\226\227\227^VT\2
27\227\226\227�^V����p�W^\ԫ\224T�^V����N^TW�^\�\224d^\�\233\224\^V������R^V�\22
3�ۤ��+�h^\ѷ\224T^\\\224\237^V������\236^V�\223�����\221�^TW\223|r\224h\224l^\�
�\224m�E�^\\200^\m^\�\207�\224o�^^\X\224^\224^\224�\213\224\^\�\224l~�\226\227\2
27�^P`^\@�W`G^\_e8^^�^Z�\237���h\205�^^�\223^Z�\202��h�\223ͤW;^SW�n�^^]\231^S^�
\236���h\205�<u^?���h�\223�^\O�W;^SW�n�^^]\231^Wn\225�\236���h\205�<up�W�����h�^
?^D�\207��h�{�\225�h�g�W��'\233<�<�<�����:�h�W���:�:�h�W�'�^^\220�h�S�W^\�c^^Ы^
^��^\\221^^Я�W�/\226\226^^л���W��������:��W�h�_h�gh�[h�kh�[����h�c^\O�W#\223�V
^?\223�h�C^\g�W^\_"\223�����h�?h�G^T�\226뵤W��h_�h�?h�K\234W㸤W�h_��h�o��h�w|_
�W�#\223���h�k��^���h�;h�O��h�w|=�h�s|i��^^�eT^\ӳ\233\222/\227\227\227P\227���\
205�WT|{^?ujhh^?^Eihh��p�^Wp�������������\227�����ۤ�\227����������\227��������
�������\227��������������\227�����������\227�������������\227�����������\227����
�����\227��������\227�����\227�����������\227\227����ܤ�\227������\227����\227��
����\227������\227����\227����\227\225\227\211�\227\227\227\227\227\227\227\227\
227\227\227\227������\227hhhh
server1%

Thanks.

PxT · December 16, 2003, 12:51pm

Error is from 'lpr' -- the print command. Have you tried printing something recently that might have caused it?

finster · December 16, 2003, 1:26pm

No printers are installed on this box.

If someone tried to print something, is this the error message I can expect in the future?

jsilva · December 16, 2003, 2:08pm

Hi,

I don't know if you pasted all the text correctly, but it might be someone trying to exploit your print daemon... if you don't need the printer service, just disable it and see if you have all the patches installed.

kduffin · December 17, 2003, 6:58am

It does look suspiciously like padding for a buffer overflow. Any service that you don't actually need (lpd in this case) should be shutdown. After seeing something like this, I'd take the time to not only proble for listening ports locally, but use an external tool such as nessus or nmap to peer into your system and etherreal to watch the outbound.

Cheers,

Keith

finster · December 17, 2003, 8:41am

Thanks for the replies.....I'll take your advice.

Thanks again.

sanaup · February 9, 2009, 7:58am

Hi,

In the entry of each messages in /var/adm/messages there ID is there, what this ID corresponds to. I mean to say how this ID get generated?

Sandeep