• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 554
  • Last Modified:

possible attempt to exploit buffer overflow?

Nov  6 01:24:44 mail nscd[289]: [ID 461630 user.crit] gethostans: possible attempt to exploit buffer overflow while looking up linux.somesite.com.my

OS: Solaris 9

The above is the warning message I found in /var/adm/messages few days back. And there's only one of it.

May I know exactly what is this? I was told that the malicious attempt (if there's one) could hang the system. Is there any patches or setting I can set to prevent such attempt to occur?

The system is still running fine but prevention is better than cure.

  • 3
  • 2
2 Solutions

   nscd is Name Service Cache Daemon. It caches for name services such as NIS, DNS, LDAP...
You can go to the URL to download the latest patch for nscd.

The instruction to install is at the bottom of that page:
# patchadd /var/spool/patch/104945-02


Please apply the Solaris Recommended Patch Clusters and add the followings to
 /etc/system file:

       * Disable the ability to execute code from the stack
       * This will actively prevent many buffer overflows
       set noexec_user_stack=1

       * This will report buffer overflows
       set noexec_user_stack_log=1

You need to reboot the box after the change.
shawnkAuthor Commented:
Hi guys,
Thanks for the info.
Would appreciate if the admin can give yuzh's answer as "accepted answer" as well.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

shawnkAuthor Commented:
Hi wesly,
Oops, the patch link you gave me above is for Solaris 8 but I'm using Solaris 9.

Would appreciate if you have the specific patch instead of the cluster patch... wouldn't want to risk having new problems if you know what I mean...

I looked through the Sol 9 report but there isn't any nscd patch included in there. Maybe I'm just looking at the wrong keyword.

   There is no patch directly for nscd on Solaris 9. However, there is one which might related.

  You can make a request to ask to split the points.

shawnkAuthor Commented:
I guess I will start resolving this issue by making the setting in /etc/system like what Yuzh has suggested and see how it goes.

The server is actually a mail server. Not sure why the nscd daemon (in my case its purpose it's probably for hosts lookups caching purpose?) is causing this buffer overflow warning message.

Anyway thanks guys.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now