Security Incidents mailing list archives
Re: rooted by r0x - from address 212.177.241.127
From: karthik_krish76 () YAHOO COM (karthik krishnamurthy)
Date: Tue, 11 Apr 2000 12:54:51 -0700
bout the experts: they use their own shellcode. (it is only ADM's shellcode which leaves the footprint ADMROCKS. in my experience one of the only remaining symptoms is the lame server log message. there is another symptom however of this attack. after the attacker kills the executable that is spawned by the shellcode he has to re start named ( if he is that careful). named does make logs while starting up. even if the attacker is careful enough to delete those logs he cannot totally totally cover his tracks as the pid of named will be new. so any change in the process id of named while logging should be another and better indication that a break in has occured. i guess then the lame server log message would help you to reinforce the doubt while also giving an indiacation of the domain the attack has taked place from. i think that is why the lame server message is important regards --- Dave Booth <dbooth () FIBRES NET> wrote:
On Thu, 6 Apr 2000, - - wrote:I don't think a lame server would be a very goodindication of an NXTattempt. Certainly it does say this if you havebeen compromised but itcould say that 15 other times that day becausesome people don'tconfigure things properly. I assume that aseasoned hacker would mostlikely use "DIG" or some other probe to find theversion of bind theyare looking for.I agree, but I was thinking specifically of seeing this where subsequent checking revealed that the proper servers were not lame. I'm also not thinking about catching "seasoned" crackers either - If a real expert wants to smoke my systems I am quite certain that they will eventually succeed. Perhaps I should rephrase the question as "What sort of footprints will one see from the script-kiddies who try the exploit on every nameserver they can find, whether they succeed or not?" By catching those guys we can at least reduce the noise level to the point where we have a fighting chance to defend ourselves against the experts :) (yeah, I know, some hope....) -- Dave Booth dbooth () fibres net
+-----------------------------------------------------------------------+
| All men dream but not equally. Those that dream by night in the dusty | | recesses of their minds wake to find it was vanity but the dreamers | | of the day are dangerous men, for they may act their dreams with open | | eyes to make it possible. | | T E Lawrence |
+-----------------------------------------------------------------------+
__________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 01)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 04)
- <Possible follow-ups>
- Re: rooted by r0x - from address 212.177.241.127 - - (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Brian McKinney (Apr 10)
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 11)
- Re: rooted by r0x - from address 212.177.241.127 spookah . (Apr 11)