Rooted by admrocks

[thalakan () TECHNOLOGIST COM (Jason Spence)]

Hi all,

One of my name servers was rooted by admrocks on Wednesday afternoon, at
12:51 PDT.  The funny thing was that the attack came from another nameserver
that had been broken into, and the incoming telnet session to take control
of the machine was from yet another machine (not a nameserver) which I think
was compromised, because nmap showed it was running Netbus.

The attack involved catting a new user account into /etc/passwd, (username
boom, password boom (<-- courtesy of Jack the Ripper)), and installing a new
/bin/login which had the string "/usr/lib/login" in there.  I'm pretty sure
that /usr/lib/login wasn't there when we started.  rpm -Va also shows that
/bin/login has been modified, and I'm positive I haven't touched it since
installation.

We're running named non-root on Mandrake 7.0 with security set to paranoid
during installation and all the useless packages removed now.  Mandrake 7
apparently ships with bind 8.2.2 P5, and the copy of adm_bind I got from
securityfocus doesn't seem to work on it anymore.

 - Jason