From: basel novo
Subject: exploit signalled in Xemacs/ACL
Date: 
Message-ID: <7cfb32cc.0405071411.6630524b@posting.google.com>
Hi,

Our main webserver has been attacked with an exploit that allows
unauthorized hosts to establish a connection. The only signal that
such an attack is underway is that an error message like the following
appears in the Xemacs Lisp buffer:

Error (eof encountered on stream
       #<MULTIVALENT stream socket connected from
rctbank.ucsf.edu/1025 to
         ucsfras-246-233.ucsf.edu/1843 @ #x5e1eb9a>) starting emacs
process.

Shortly afterward, 'netstat -a' will reveal a connection from an
unknown host like this one:

rctbank.32773 ip68-7-215-168.sd.sd.cox.net.2757 64240 0 24820   0
ESTABLISHED

Does the error message from Xemacs look familiar to anyone? It would
be huge help to us if we could understand what causes this error to be
signalled.

The hardware/OS/ACL version are Sun Blade 2000/Solaris 8/ACL 6.0

Thanks,

Ben
From: Stephen J. Turnbull
Subject: Re: exploit signalled in Xemacs/ACL
Date: 
Message-ID: <87y8o360i1.fsf@tleepslib.sk.tsukuba.ac.jp>
>>>>> "basel" == basel novo <·········@hotmail.com> writes:

    basel> Does the error message from Xemacs look familiar to anyone? 
    basel> It would be huge help to us if we could understand what
    basel> causes this error to be signalled.

It seems unlikely to me that this is coming from XEmacs; the phrases
"MULTIVALENT" and "stream socket" appear nowhere in the sources.

If ACL = Allegro (or whatever) Common Lisp, I would say that's a
better place to look.

-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.
From: basel novo
Subject: Re: exploit signalled in Xemacs/ACL
Date: 
Message-ID: <7cfb32cc.0405081641.792fb737@posting.google.com>
"Stephen J. Turnbull" <·······@xemacs.org> wrote in message news:<··············@tleepslib.sk.tsukuba.ac.jp>...
> >>>>> "basel" == basel novo <·········@hotmail.com> writes:
> 
>     basel> Does the error message from Xemacs look familiar to anyone? 
>     basel> It would be huge help to us if we could understand what
>     basel> causes this error to be signalled.
> 
> It seems unlikely to me that this is coming from XEmacs; the phrases
> "MULTIVALENT" and "stream socket" appear nowhere in the sources.
> 
> If ACL = Allegro (or whatever) Common Lisp, I would say that's a
> better place to look.

Yes, that message is definitely coming from Allegro Common Lisp.  I
posted this to the xemacs group (maybe inappropriately) because it
occurred in the Xemacs interface to Lisp and also because of the
reference to "starting emacs process":

Error (eof encountered on stream
       #<MULTIVALENT stream socket connected from
rctbank.ucsf.edu/1025 to
         ucsfras-246-233.ucsf.edu/1843 @ #x5e1eb9a>) starting emacs
process.
From: Vladimir Sedach
Subject: Re: exploit signalled in Xemacs/ACL
Date: 
Message-ID: <87pt9f3u9h.fsf@shawnews.cg.shawcable.net>
Hello,

Since you're running Allegro Common Lisp, you're likely running
Franz's AllegroServe. I suggest you post your problem to the
AllegroServe mailing list
(http://opensource.franz.com/mailinglist.html) and contact John
Foderaro at Franz (http://www.franz.com/about/contact/). If this is
indeed an exploit, I think it's the first reported one, and they're
really going to want to see it. I don't think Emacs has anything to do
with your problem. Also, it's probably a good idea to get in touch
with whoever set up your system, if you haven't done so already.

Vladimir
comp.lang.lisp / 2004 / may