Re: Compromised...

[jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)]

On Mon, 7 Feb 2000, Steve Logan wrote:

> There was a directory called ADMROCKS in /var/named.
>
> Has anyone else experienced this?  How did they get in?  At this point I'm
> pretty sure it was through named.  How should I go about cleaning it up?

they used a tool to smash their way into your unpatched named instance.
probably via the recently discussed NXT record bug... really easy to
exploit, really easy to prevent. *upgrade!!! this is old news!!!* the tool
is from the hacker group ADM, and some of their tools are around at

http://packetstorm.securify.com/groups/ADM/

(steve, i think i have this code lying around somewhere for this exploit,
let me know if you want to examine it for forensic study.)

wipe, reinstall from fresh, trusted sources (trusted cds), install
tripwire (or L5 or L6), upgrade BIND to a very trusted version and look
into chroot()ing it (if you use BIND 8 it's a new feature, BIND 4 has a
patch available for this), be a lot more vigilant this time around and
really secure that box ... or do this all over again. you didn't mention
the OS, but Linux has some nice stack smashing tricks which can be
thwarted via kernel patches. solaris also has stack smashing safeguards.
ADMROCK, the BIND exploit, relies on smashing the stack.

and next time keep way more on top of things! read BUGTRAQ, NIPC, CERT,
etc... the BIND problem is old, old news.

sorry if this sounds harsh, but it's an old bug. lots of sites, lots of
them, have been hit. welcome to a not so very exclusive club, those rooted
via named.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc