Name server probe from NS2.50megs.com

[jonkeim () PRINCETON EDU (Jonathan S. Keim)]

hello,

i got a nameserver probe last night from a machine at 207.173.126.101,
which turns out to be:

Name:    ns2.50megs.com
Address:  207.173.126.101

it looks like someone has compromised this machine and is scanning the
princeton network with it.  most likely it's the result of a bind
exploit,
thanks to our friends at ADM.  look for the directory
/var/named/ADMROCKS,
or some variant, and that will *generally* tell you if the intruder
entered via bind.

i've enclosed the relevant log entries from linux 2.2.x ipchains for
your
convenience.  if you could look into this problem, i'd be very
appreciative.  good luck catching the script kiddie.

jon

relevant entry
----------------
Jan 16 08:33:33 law kernel: Packet log: input DENY eth0 PROTO=17
207.173.126.101:1704 140.180.145.238:53 L=55 S=0x00 I=65400 F=0x0000
T=49 (#16)