Security Incidents mailing list archives
Re: rooted by r0x - from address 212.177.241.127
From: dbooth () FIBRES NET (Dave Booth)
Date: Tue, 4 Apr 2000 08:45:14 -0700
On Sat, 1 Apr 2000, karthik krishnamurthy wrote:
since many people are discussing the bind nxt bug i thought i might add another symptom of a NXT attack. before named crashes it logs the nameserver and the domain used for the attack. lame nameserver on domain xxx.xxx.xxx serever xx.xxx.xx or something to that effect which is what steve has found in his logs.
Is this sort of log entry indicative of an attempt at exploiting the NXT bug, even if one is running a version of bind that is supposedly not vulnerable? I've seen a lot of discussion of the footprints of a successful exploit but not a lot of info on how to detect unsuccessful attempts (IMHO almost as important to monitor as when they actually get in) This of course assumes that it relates to a nameserver that isnt truly lame for the domain in question.... -- Dave Booth dbooth () fibres net +-----------------------------------------------------------------------+ | All men dream but not equally. Those that dream by night in the dusty | | recesses of their minds wake to find it was vanity but the dreamers | | of the day are dangerous men, for they may act their dreams with open | | eyes to make it possible. | | T E Lawrence | +-----------------------------------------------------------------------+
Current thread:
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 01)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 04)
- <Possible follow-ups>
- Re: rooted by r0x - from address 212.177.241.127 - - (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Brian McKinney (Apr 10)
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 11)
- Re: rooted by r0x - from address 212.177.241.127 spookah . (Apr 11)