Security Incidents mailing list archives

Re: rooted by r0x - from address 212.177.241.127

From: karthik_krish76 () YAHOO COM (karthik krishnamurthy)
Date: Tue, 11 Apr 2000 12:54:51 -0700


bout the experts: they use their own shellcode. (it is
only ADM's shellcode which leaves the footprint
ADMROCKS. in my experience one of the only remaining
symptoms is the lame server log message.
there is another symptom however of this attack. after
the attacker kills the executable that is spawned by
the shellcode he has to re start named ( if he is that
careful). named does make logs while starting up. even
if the attacker is careful enough to delete those logs
he cannot totally totally cover his tracks as the pid
of named will be new. so any change in the process id
of named while logging should be another and better
indication that a break in has occured. i guess then
the lame server log message would help you to
reinforce the doubt while also giving an indiacation
of the domain the attack has taked place from. i think
that is why the lame server message is important
regards
--- Dave Booth <dbooth () FIBRES NET> wrote:

On Thu, 6 Apr 2000, - - wrote:

I don't think a lame server would be a very good

indication of an NXT

attempt.  Certainly it does say this if you have

been compromised but it

could say that 15 other times that day because

some people don't

configure things properly.  I assume that a

seasoned hacker would most

likely use "DIG" or some other probe to find the

version of bind they

are looking for.


I agree, but I was thinking specifically of seeing
this where subsequent
checking revealed that the proper servers were not
lame. I'm also not
thinking about catching "seasoned" crackers either -
If a real expert
wants to smoke my systems I am quite certain that
they will eventually
succeed. Perhaps I should rephrase the question as
"What sort of
footprints will one see from the script-kiddies who
try the exploit on
every nameserver they can find, whether they succeed
or not?" By catching
those guys we can at least reduce the noise level to
the point where we
have a fighting chance to defend ourselves against
the experts :) (yeah, I
know, some hope....)

--
Dave Booth
dbooth () fibres net

+-----------------------------------------------------------------------+

| All men dream but not equally. Those that dream by
night in the dusty |
| recesses of their minds wake to find it was vanity
but the dreamers   |
| of the day are dangerous men, for they may act
their dreams with open |
| eyes to make it possible.
                   |
|                             T E Lawrence
                   |

+-----------------------------------------------------------------------+


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Current thread:

Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 01)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 04)
- <Possible follow-ups>
- Re: rooted by r0x - from address 212.177.241.127 - - (Apr 06)
  - Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Brian McKinney (Apr 10)
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 11)
- Re: rooted by r0x - from address 212.177.241.127 spookah . (Apr 11)