Security Incidents mailing list archives
Re: rooted by r0x - from address 212.177.241.127
From: karthik_krish76 () YAHOO COM (karthik krishnamurthy)
Date: Sat, 1 Apr 2000 02:40:24 -0800
since many people are discussing the bind nxt bug i thought i might add another symptom of a NXT attack. before named crashes it logs the nameserver and the domain used for the attack. lame nameserver on domain xxx.xxx.xxx serever xx.xxx.xx or something to that effect which is what steve has found in his logs. regards --- Steve <steve () SR-TECH COM> wrote:
I was running a stock RedHat 6.1 box as a dns server and got rooted 3-20-2000. I had the ADMROCKS directory in /var/named, so I know they used the "ADM named 8.2/8.2.1 NXT remote overflow" exploit to get in. Aparrently its a piece of cake for any kid to get in this way. They also planted the trin00 DoS daemon, but tried to compile the portscanner locally, but I had no development tools installed. They modified a bunch of files, probably a "root kit". I felt like a real dork for not paying attention to the secuity web sites more closely. Its pretty well known now that Bind 8.2/8.2.1 are a snap to exploit. My suggestion is to install the latest Bind patch level 5 along with openssh 1.2.3, and shut everything else off you dont need. Fortunately, the hackers interest wasnt in taking down my server, but to keep the compromise low key, so it could serve as a remote attack point. Funny thing is that I was having dns lookup problens that week, and thought my ethernet hub was going bad, so I bought and installed a new one! Duh! Turns out that part of the exploit is the symptom where Bind times out for 120 seconds during the compromise. I noticed this about 6 times during the week. The hackers also left some login entrys in /var/log/messages, but the source address was to another dns server in china ( im in NJ ), so I figure they compromised that server first. Steve Redler IV, Sysadmin steve () sr-tech com "If Windows is the answer, I want the problems back!"
__________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 01)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 04)
- <Possible follow-ups>
- Re: rooted by r0x - from address 212.177.241.127 - - (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Brian McKinney (Apr 10)
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 11)
- Re: rooted by r0x - from address 212.177.241.127 spookah . (Apr 11)