Security Incidents mailing list archives
Re: rooted by r0x - from address 212.177.241.127
From: k_liner () HOTMAIL COM (spookah .)
Date: Tue, 11 Apr 2000 16:34:55 PDT
I have seen and had a copy of bscan, which is actually an a, b, or c class broadcast scanner. A new 'bscan' may have been released which scans for boxes vulnerable to the NXT exploit, but not that I am personally aware of. spookah Network Technician Linux Administrator
From: Brian McKinney <rizzdogg () NOC THEWORKS COM> Reply-To: Brian McKinney <rizzdogg () NOC THEWORKS COM> To: INCIDENTS () SECURITYFOCUS COM Subject: Re: rooted by r0x - from address 212.177.241.127 Date: Mon, 10 Apr 2000 14:13:04 -0700 I have seen some scanners out there that scan subnets for the version of bind thats vuln. I believe it was called bscan, and infact the "cracked by brizilians thread" that had the rootkit attached to it had the bscan util in it. I might be wrong though it was quite a while ago when i saw it. RizzDogg -----Original Message----- From: - - [mailto:slam () ONEMAIN COM] Sent: Thursday, April 06, 2000 4:38 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: rooted by r0x - from address 212.177.241.127 I don't think a lame server would be a very good indication of an NXT attempt. Certainly it does say this if you have been compromised but it could say that 15 other times that day because some people don't configure things properly. I assume that a seasoned hacker would most likely use "DIG" or some other probe to find the version of bind they are looking for. Any other thoughts? Adam Skulker.-----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Dave Booth Sent: Tuesday, April 04, 2000 8:45 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: rooted by r0x - from address 212.177.241.127 On Sat, 1 Apr 2000, karthik krishnamurthy wrote:since many people are discussing the bind nxt bug i thought i might add another symptom of a NXT attack. before named crashes it logs the nameserver and the domain used for the attack. lame nameserver on domain xxx.xxx.xxx serever xx.xxx.xx or something to that effect which is what steve has found in his logs.Is this sort of log entry indicative of an attempt at exploiting the NXT bug, even if one is running a version of bind that is supposedly not vulnerable? I've seen a lot of discussion of the footprints of a successful exploit but not a lot of info on how to detect unsuccessful attempts (IMHO almost as important to monitor as when they actually get in) This of course assumes that it relates to a nameserver that isnttrulylame for the domain in question.... -- Dave Booth dbooth () fibres net+-----------------------------------------------------------------------+| All men dream but not equally. Those that dream by night in the dusty|| recesses of their minds wake to find it was vanity but the dreamers|| of the day are dangerous men, for they may act their dreams with open|| eyes to make it possible.|| T E Lawrence|+-----------------------------------------------------------------------+
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 01)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 04)
- <Possible follow-ups>
- Re: rooted by r0x - from address 212.177.241.127 - - (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Brian McKinney (Apr 10)
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 11)
- Re: rooted by r0x - from address 212.177.241.127 spookah . (Apr 11)