Re: rooted by r0x - from address 212.177.241.127

[dbooth () FIBRES NET (Dave Booth)]

On Thu, 6 Apr 2000, - - wrote:

> I don't think a lame server would be a very good indication of an NXT
> attempt.  Certainly it does say this if you have been compromised but it
> could say that 15 other times that day because some people don't
> configure things properly.  I assume that a seasoned hacker would most
> likely use "DIG" or some other probe to find the version of bind they
> are looking for.

I agree, but I was thinking specifically of seeing this where subsequent
checking revealed that the proper servers were not lame. I'm also not
thinking about catching "seasoned" crackers either - If a real expert
wants to smoke my systems I am quite certain that they will eventually
succeed. Perhaps I should rephrase the question as "What sort of
footprints will one see from the script-kiddies who try the exploit on
every nameserver they can find, whether they succeed or not?" By catching
those guys we can at least reduce the noise level to the point where we
have a fighting chance to defend ourselves against the experts :) (yeah, I
know, some hope....)

--
Dave Booth
dbooth () fibres net
+-----------------------------------------------------------------------+
| All men dream but not equally. Those that dream by night in the dusty |
| recesses of their minds wake to find it was vanity but the dreamers   |
| of the day are dangerous men, for they may act their dreams with open |
| eyes to make it possible.                                             |
|                             T E Lawrence                              |
+-----------------------------------------------------------------------+