[PLUG] Error Messages . . .

Tim tim-pdxlug at sentinelchicken.org
Wed Aug 11 04:01:50 UTC 2010


> Message from syslogd at server2 at Tue Aug 10 15:41:33 2010 ...
> server2 kernel: Stack: dfb41f64 00000000 00000000 00000000 00000000
> 
> Message from syslogd at server2 at Tue Aug 10 15:41:33 2010 ...
> server2 kernel: Call Trace:
> 
> Message from syslogd at server2 at Tue Aug 10 15:41:33 2010 ...
> server2 kernel: Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
> 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 89 d0 52 
> ff d3 <00> 00 00 a0 ff 53 4d 42 32 00 00 00 8b 40 0c c3 ff 05 08 d0 34
> 
> Message from syslogd at server2 at Tue Aug 10 15:41:33 2010 ...
> server2 kernel: EIP: [<c0101005>] kernel_thread_helper+0x5/0xb SS:ESP 
> 0068:dfa05fec


Uh... yeah, that would make me very nervous as well.  Why?  Because of
all of those "90" bytes.  Maybe it's something completely unrelated,
but when attackers craft buffer overflow exploits, it's common to use a
"NOP" sled to give them fudge factor on offsets.  NOP on x86 is 0x90.

As others have asked, is this connected to the Internet?  What
services are exposed?  You might want to get a full packet capture  of
your network traffic while this error pops up.  Contact me off list if
you like.


tim



More information about the PLUG mailing list