Security Incidents mailing list archives
Re: rooted by r0x - from address 212.177.241.127
From: slam () ONEMAIN COM (- -)
Date: Thu, 6 Apr 2000 19:37:31 -0400
I don't think a lame server would be a very good indication of an NXT attempt. Certainly it does say this if you have been compromised but it could say that 15 other times that day because some people don't configure things properly. I assume that a seasoned hacker would most likely use "DIG" or some other probe to find the version of bind they are looking for. Any other thoughts? Adam Skulker.
-----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Dave Booth Sent: Tuesday, April 04, 2000 8:45 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: rooted by r0x - from address 212.177.241.127 On Sat, 1 Apr 2000, karthik krishnamurthy wrote:since many people are discussing the bind nxt bug i thought i might add another symptom of a NXT attack. before named crashes it logs the nameserver and the domain used for the attack. lame nameserver on domain xxx.xxx.xxx serever xx.xxx.xx or something to that effect which is what steve has found in his logs.Is this sort of log entry indicative of an attempt at exploiting the NXT bug, even if one is running a version of bind that is supposedly not vulnerable? I've seen a lot of discussion of the footprints of a successful exploit but not a lot of info on how to detect unsuccessful attempts (IMHO almost as important to monitor as when they actually get in) This of course assumes that it relates to a nameserver that isnt truly lame for the domain in question.... -- Dave Booth dbooth () fibres net +-----------------------------------------------------------------------+ | All men dream but not equally. Those that dream by night in the dusty | | recesses of their minds wake to find it was vanity but the dreamers | | of the day are dangerous men, for they may act their dreams with open | | eyes to make it possible. | | T E Lawrence | +-----------------------------------------------------------------------+
Current thread:
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 01)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 04)
- <Possible follow-ups>
- Re: rooted by r0x - from address 212.177.241.127 - - (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Brian McKinney (Apr 10)
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 11)
- Re: rooted by r0x - from address 212.177.241.127 spookah . (Apr 11)