Security Incidents mailing list archives
Re: bind breakin?
From: "McGraw, Stuart" <stuart () DISPLAYTECH COM>
Date: Wed, 21 Feb 2001 09:36:16 -0700
Hello, Thanks for all the feedback folks! As many pointed out these messages were from a non-privileged user trying to restart named. But these messages were generated when no one was logged in and some digging revealed an lkm rootkit. Sigh. -- Stu
-----Original Message----- From: Stuart McGraw Sent: Monday, February 19, 2001 10:05 AM To: 'INCIDENTS () SECURITYFOCUS COM' Subject: bind breakin? Hello, Have I been hacked? Are these messages a signature of any known exploits? Thanks greatly... -- Stu Feb 17 22:33:55 dns1 named[11646]: slave zone "hasco.com" (IN) loaded (serial 1001122 Feb 17 22:33:55 dns1 named[11646]: slave zone "123.123.123-addr.arpa" (IN) loaded (serial 1000918 Feb 17 22:33:55 dns1 named[11646]: slave zone "124.123.123.in-addr.arpa" (IN) loaded (serial 1000918 Feb 17 22:33:55 dns1 named[11646]: slave zone "10.in-addr.arpa" (IN) loaded (serial 990624) Feb 17 22:33:55 dns1 named[11646]: master zone "0.0.127.in-addr.arpa" (IN) loaded (serial 1997010400) Feb 17 22:33:55 dns1 named[11646]: hint zone "" (IN) loaded (serial 0) Feb 17 22:33:55 dns1 named[11646]: unix control "/var/run/ndc" unlink failed: Permission denied Feb 17 22:33:55 dns1 named[11646]: ctl_server: bind: Address already in use Feb 17 22:33:55 dns1 named[11646]: couldn't create pid file '/var/run/named.pid' Feb 17 22:33:55 dns1 named[11646]: bind(dfd=20, [127.0.0.1].53): Permission denied Feb 17 22:33:55 dns1 named[11646]: deleting interface [127.0.0.1].53 Feb 17 22:33:55 dns1 named[11646]: bind(dfd=20, [123.123.123.1].53): Permission denied Feb 17 22:33:55 dns1 named[11646]: deleting interface [123.123.123.1].53 Feb 17 22:33:55 dns1 named[11646]: not listening on any interfaces Feb 17 22:33:55 dns1 named[11646]: opensocket_f: bind([0.0.0.0].53): Permission denied
Current thread:
- bind breakin? McGraw, Stuart (Feb 19)
- <Possible follow-ups>
- Re: bind breakin? McGraw, Stuart (Feb 21)