[syslog-ng]syslog-ng unknown messages in my syslog.log file(HP-UX)

Blaise St-Laurent bstlaurent@okiok.com
Thu, 13 Feb 2003 10:48:26 -0500


> Hello everyone,
>
> I've just received syslog messages that I completely don't understand.
> Does anybody know why this messages have been sent to syslog.log file.
> And also if there is any problem with my server machine. And what I should
> do to solve the problem.
>
> Feb 13 16:21:23 hpd002 syslog: libtt[18108]: ttdt_Xt_input_handler():
> tttk_message_receive(): TT_ERR_NOMP^INo ttsession pr
> ocess is running, probably because tt_open() has not been called yet. If
> this code is returned from tt_open() it means tts
> ession could not be started, which generally means ToolTalk is not
> installed on this system.
> Feb 13 16:21:23 hpd002 syslog: libtt[18117]: ttdt_Xt_input_handler():
> tttk_message_receive(): TT_ERR_NOMP^Ittsession ^Cv^C
> ^M^CZ^CX^B*^S.^Ml^B5^BD^B"^B\^B9^Bq^AB^Q=^U*^AAtt_open()
> ^B*^LD^BQ^Oo^B3^Bj^BD^B"^BH^B"^B1^BF^B*^L4^Hv^BE^B7^ABtt_open() ^
> B)^Bg^B1^BL^CR^A[^Ch^B*^UT^B3^Bj^B=^Oj^M^G^BM^AAttsession
> ^B*^KN^S.^BE^B+^BH^B"^BF^B"^B$^HS^V!^BE^B ^Bh^AA^RJ^Om^BM ToolTa
> lk ^B*^B1^BL^CV^CX^Ce^C
>
My guess is someone's been trying to run a buffer overrun exploit on your
libtt install. (a part of the ToolTalk package)

a quick look on securityfocus pulls up 14 advisories against that particular
software.

my guess is you're being hit by someone trying to exploit this:
http://online.securityfocus.com/advisories/3647
but that's just a really quick guess.