Probe from NS2.SOHONET.COM

[jonkeim () PHOENIX PRINCETON EDU (Jonathan S. Keim)]

hello,

i got this little probe last night from a machine at 208.215.131.24,
which turns out to be:

Name:    NS2.SOHONET.COM
Address:  208.215.131.24

it looks like someone has compromised this machine and is scanning the
princeton network with it.  most likely it's the result of a bind exploit,
thanks to our friends at ADM.  look for the directory /var/named/ADMROCKS,
or some variant, and that will *generally* tell you if the intruder
entered via bind.

i've enclosed the relevant log entries from linux 2.2.x ipchains for your
convenience.  if you could look into this problem, i'd be very
appreciative.  good luck catching the script kiddie.

jon

relevant entry
----------------
Jan  8 09:32:24 law kernel: Packet log: input DENY eth0 PROTO=17 208.215.131.24:2583 140.180.145.238:53 L=55 S=0x00 
I=64066 F=0x0000 T=52 (#16)