Security Incidents mailing list archives
Re: Compromised...
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Mon, 7 Feb 2000 21:06:06 -0500
On Mon, 7 Feb 2000, Steve Logan wrote:
There was a directory called ADMROCKS in /var/named. Has anyone else experienced this? How did they get in? At this point I'm pretty sure it was through named. How should I go about cleaning it up?
they used a tool to smash their way into your unpatched named instance. probably via the recently discussed NXT record bug... really easy to exploit, really easy to prevent. *upgrade!!! this is old news!!!* the tool is from the hacker group ADM, and some of their tools are around at http://packetstorm.securify.com/groups/ADM/ (steve, i think i have this code lying around somewhere for this exploit, let me know if you want to examine it for forensic study.) wipe, reinstall from fresh, trusted sources (trusted cds), install tripwire (or L5 or L6), upgrade BIND to a very trusted version and look into chroot()ing it (if you use BIND 8 it's a new feature, BIND 4 has a patch available for this), be a lot more vigilant this time around and really secure that box ... or do this all over again. you didn't mention the OS, but Linux has some nice stack smashing tricks which can be thwarted via kernel patches. solaris also has stack smashing safeguards. ADMROCK, the BIND exploit, relies on smashing the stack. and next time keep way more on top of things! read BUGTRAQ, NIPC, CERT, etc... the BIND problem is old, old news. sorry if this sounds harsh, but it's an old bug. lots of sites, lots of them, have been hit. welcome to a not so very exclusive club, those rooted via named. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: DoS Trojan on Solaris, (continued)
- Re: DoS Trojan on Solaris Data_surge (Feb 04)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
- Compromised... Steve Logan (Feb 07)
- Re: Compromised... David Bernick (Feb 07)
- Re: Compromised... Japheth (Feb 07)
- Re: Compromised... Simon Britnell (Feb 08)
- Re: Compromised... technot (Feb 09)
- Re: Compromised... Sebastian (Feb 09)
- Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
- Question about event log events JF Prieur (Feb 08)
- Re: Compromised... Jose Nazario (Feb 07)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)
- 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
- hacked Anton (Feb 14)
- Re: Compromised... Stephen J. Friedl (Feb 14)