nscd poisoning?

[Michael Loftis <mloftis () wgops com>]

I just experienced a very scary thing.   An nscd instance on an 
internal/mostly private machine picked up a bogus entry for localhost 
matching the address 203.0.37.125 -- which the net admin there has 
reversing to localhost.  It seems to me we have a hacker with some sort of 
new attack possibly?

The system is an RH7.3 base, with latest patches.  As far as I know there 
aren't any obvious vulns in the system here, and the information didn't 
come from LDAP as the servers replication logs NEVER mentioned that 
information, ever.

I know that there are some solutions to this (including editing 
nsswitch.conf) but I wanted to know if anyone else has seen this?  Replies 
off-list or on-list (though I have a hard time following all the list 
traffic...)

----------------------------------------------------------------------------
----------------------------------------------------------------------------