Re: rooted by r0x - from address 212.177.241.127

[dbooth () FIBRES NET (Dave Booth)]

On Sat, 1 Apr 2000, karthik krishnamurthy wrote:

> since many people are discussing the bind nxt bug i
> thought i might add another symptom of a NXT attack.
> before named crashes it logs the nameserver and the
> domain used for the attack.
> lame nameserver on domain xxx.xxx.xxx
> serever xx.xxx.xx
> or something to that effect which is what steve has
> found in his logs.

Is this sort of log entry indicative of an attempt at exploiting the NXT
bug, even if one is running a version of bind that is supposedly not
vulnerable? I've seen a lot of discussion of the footprints of a
successful exploit but not a lot of info on how to detect unsuccessful
attempts (IMHO almost as important to monitor as when they actually get
in) This of course assumes that it relates to a nameserver that isnt truly
lame for the domain in question....

--
Dave Booth
dbooth () fibres net
+-----------------------------------------------------------------------+
| All men dream but not equally. Those that dream by night in the dusty |
| recesses of their minds wake to find it was vanity but the dreamers   |
| of the day are dangerous men, for they may act their dreams with open |
| eyes to make it possible.                                             |
|                             T E Lawrence                              |
+-----------------------------------------------------------------------+