Security Incidents mailing list archives
Re: Bind8 exploit and a deleted partition map
From: Derek Kwan <dkwan () KWAN CA>
Date: Tue, 13 Feb 2001 14:23:53 -0500
Well after my box was rooted and trashed (all drives were trashed clean!) few yrs back (via nfs buffer overflow bug) 1) Backup your Servers! 2) Keep your software version updated 3) Delete any software (esp. daemon) if you don't plan to use them 4) Monitor your syslogs (atleast take a peek at it few times a day) 5) Back up your servers (did I said that before?) In case you get rooted, don't panic. Make sure you have your boot disk handy. On Linux box, you can have a boot disk w/ drivers for external drives (e.g. SparQ) and you can do a dd if=/dev/hda of/mnt/SparQ/hda.img to take a snapshot the disk image... after that maybe you can try to do a grep on the date maybe you can find a few last line of your syslog.... Install Tripwire to protect your files like your inetd.conf or ssh_random_seed... Just my 2 cents \|/ _____ \|/ *************************************************** "@'/ , . \`@" This e-mail is send with 100% recyclable electrons. /_| \___/ |__\ *************************************************** \___U_/ Derek () KWAN ca On Mon, 12 Feb 2001, Matteo,Marc A. wrote:
Hi all, I was asked to look at a Red Hat box that had been owned, presumably via Bind 8.2.2. Limited forensics had already been done -- /etc/inetd.conf and /etc/services had been messed with to add a shell at port 54321 and it looked like the /etc/ssh_random_seed file had been messed with as well (tho that's hard to prove).
[snip...]
Current thread:
- Bind8 exploit and a deleted partition map Matteo,Marc A. (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
- Re: Bind8 exploit and a deleted partition map Jose Nazario (Feb 13)
- Re: Bind8 exploit and a deleted partition map Derek Kwan (Feb 13)
- Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
- Re: Bind8 exploit and a deleted partition map Jeremy L. Gaddis (Feb 14)
- Re: Bind8 exploit and a deleted partition map Valdis Kletnieks (Feb 14)
- Re: Bind8 exploit and a deleted partition map Eric Brandwine (Feb 14)
- Priorities (was: Bind8 exploit and a deleted partition map) Dustin Mitchell (Feb 15)
- Re: Priorities (was: Bind8 exploit and a deleted partition map) Crist Clark (Feb 15)
- Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
- <Possible follow-ups>
- Re: Bind8 exploit and a deleted partition map Justin Shore (Feb 14)