Security Incidents mailing list archives

resolv.conf - overwrite

From: Lukasz Spaleniak <spalek () ptssa pl>
Date: Tue, 4 Nov 2003 12:32:04 +0100 (CET)

Hi,
probably someone had similar problem before, but I decided to describe it.

Few days ago I suddenly discovered that my resvol.conf is changed , it
looks likt that:

domain darkorb.net
search darkorb.net
nameserver 216.118.116.101
nameserver 66.197.217.12
nameserver 66.246.41.14
nameserver 66.197.217.11
nameserver 66.96.193.2
nameserver 66.96.194.2

/var/log/messages says that:
Oct 31 09:41:28 ptssa nscd: nscd shutdown failed

resolv.conf had the same modify date.

I'm using Red Hat 9, with the newest bind avaiable on the redhat:
[root@rumbrak log]# named -v
BIND 9.2.1

[root@rumbrak root]# rpm -qi bind
Name        : bind                         Relocations: (not relocateable)
Version     : 9.2.1                             Vendor: Red Hat, Inc.
Release     : 16


[root@rumbrak root]# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 217.96.xx.xx:53         0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
udp        0      0 0.0.0.0:45865           0.0.0.0:*
udp        0      0 217.96.xx.xx:53         0.0.0.0:*
udp        0      0 127.0.0.1:53            0.0.0.0:*
udp        0      0 0.0.0.0:3130            0.0.0.0:*
udp        0      0 0.0.0.0:48334           0.0.0.0:*
udp        0      0 0.0.0.0:111             0.0.0.0:*

Ports avaiable to the internet:
- 20,21,22,25,53,80,110,443

Regards,
spalek

-- 
spalek () ptssa pl
GCM dpu s: a--- C++ UL++++ P+ L+++ E--- W+ N+ K- w O- M V-
PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

resolv.conf - overwrite Lukasz Spaleniak (Nov 04)
- Re: resolv.conf - overwrite Tim Greer (Nov 05)
- <Possible follow-ups>
- RE: resolv.conf - overwrite Schmehl, Paul L (Nov 05)