Security Incidents mailing list archives
Re: ADMROCKS, Bind exploit...strikes again...
From: joel () SECURIFY COM (Joel de la Garza)
Date: Mon, 10 Apr 2000 14:08:48 -0700
The exploit has been out for a while now. What has occured is that someone has written a nice little how-to that can be found at: http://www.hack.co.za/daem0n/named/NXT-Howto.txt It makes for a nice read. cheers, Joel Snehal Dasari wrote:
heh...apparently this exploit is getting around... I'm fairly new to linux, but by no means a new user... On what looks like Apr 1st (in Australia..my location) I was hacked (sorta) by this very exploit, rather, my gateway/firewall was.. Apr 1 14:18:49 deathknight iplog[2521]: TCP: domain connection attempt from 207.44.243.39:3839 Apr 1 14:19:52 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (41 data bytes) Apr 1 14:19:55 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (41 data bytes) Apr 1 14:20:05 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (50 data bytes) Apr 1 14:20:25 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (42 data bytes) Apr 1 14:20:35 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (51 data bytes) Apr 1 14:21:06 deathknight iplog[2521]: TCP: domain connection attempt from 207.44.243.39:3887 Apr 1 14:24:47 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (42 data bytes) Apr 1 14:24:48 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (42 data bytes) Apr 1 14:24:50 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (51 data bytes) Apr 1 14:24:51 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (51 data bytes) Apr 1 14:24:57 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (35 data bytes) Apr 1 14:24:58 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (35 data bytes) Apr 1 14:24:59 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (44 data bytes) Apr 1 14:25:01 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (44 data bytes) Apr 1 19:28:00 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1039 (30 data bytes) Apr 1 19:28:00 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1039 (30 data bytes) Apr 3 06:12:41 deathknight iplog[2521]: TCP: port scan detected from 207.44.243.39 Apr 3 06:14:55 deathknight iplog[2519]: TCP: port scan mode expired for 207.44.243.39 - received a total of 1640 packets (65600 bytes). This is all the information I could screen out of my logs...I'm writing this as I am actually..checking/disinfecting (for lack of a better word at the moment) this machine... I dont know if they got access as I dont have telnet running and I use SSH1 on a port different to standard. Telnet is also blocked by a ipchains rule set to reject all packets (inside or outside the firewall)...however, I am unable to ascertain if they were able to get in... Here's the wierd thing, I'm dialup....I've checked every possible log I've got and I've got nothing until the 1st...atm, I'm just cleaning up files for a reformat/reinstall so I can be 100% positive that this box is clear Attached is the dump for named...if thats of any use... Regards, Snehal Dasari ------------------------------------------------------------------------ Name: named_dump.db named_dump.db Type: unspecified type (application/octet-stream) Encoding: quoted-printable
-- <!--So farewell hope, and with hope farewell fear,--> <!-- Farewell remorse: all good to me is lost; --> <!-- Evil, be thou my good. --> <!-- - John Milton -->
Current thread:
- ADMROCKS, Bind exploit...strikes again... Snehal Dasari (Apr 08)
- Re: ADMROCKS, Bind exploit...strikes again... Joel de la Garza (Apr 10)
- dsnhack.pl Michael Kluskens (Apr 12)
- Port 27015 Bruce Kneece (Apr 12)
- Re: dsnhack.pl Roelof Temmingh (Apr 13)
- dsnhack.pl Michael Kluskens (Apr 12)
- Re: ADMROCKS, Bind exploit...strikes again... Joel de la Garza (Apr 10)