Security Incidents mailing list archives

Re: rooted by r0x - from address 212.177.241.127

From: karthik_krish76 () YAHOO COM (karthik krishnamurthy)
Date: Sat, 1 Apr 2000 02:40:24 -0800


since many people are discussing the bind nxt bug i
thought i might add another symptom of a NXT attack.
before named crashes it logs the nameserver and the
domain used for the attack.
lame nameserver on domain xxx.xxx.xxx
serever xx.xxx.xx
or something to that effect which is what steve has
found in his logs.
regards

--- Steve <steve () SR-TECH COM> wrote:

I was running a stock RedHat 6.1 box as a dns server
and got rooted 3-20-2000.
I had the ADMROCKS directory in /var/named, so I
know they used the  "ADM named
8.2/8.2.1 NXT remote overflow" exploit to get in.
Aparrently its a piece of
cake for any kid to get in this way. They also
planted the trin00 DoS daemon,
but tried to compile the portscanner locally, but I
had no development tools
installed. They modified a bunch of files, probably
a "root kit". I felt like a
real dork for not paying attention to the secuity
web sites more closely. Its
pretty well known now that  Bind 8.2/8.2.1 are a
snap to exploit. My suggestion
is to install the latest Bind patch level 5 along
with openssh 1.2.3, and shut
everything else off you dont need.

Fortunately, the hackers interest wasnt in taking
down my server, but to keep
the compromise low key, so it could serve as a
remote attack point. Funny thing
is that I was having dns lookup problens that week,
and thought my ethernet hub
was going bad, so I bought and installed a new one!
Duh! Turns out that part of
the exploit is the symptom where Bind times out for
120 seconds during the
compromise. I noticed this about 6 times during the
week. The hackers also left
some login entrys in /var/log/messages, but the
source address was to another
dns server in china ( im in NJ ), so I figure they
compromised that server
first.


Steve Redler IV, Sysadmin
steve () sr-tech com

"If Windows is the answer, I want the problems
back!"


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Current thread:

Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 01)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 04)
- <Possible follow-ups>
- Re: rooted by r0x - from address 212.177.241.127 - - (Apr 06)
  - Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Brian McKinney (Apr 10)
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 11)
- Re: rooted by r0x - from address 212.177.241.127 spookah . (Apr 11)