Re: Name server probe from NS2.50megs.com

[jonkeim () PRINCETON EDU (Jonathan S. Keim)]

just a clarification:  i already sent this to the abuse people at
50megs.com, and got a prompt reply.

there shouldn't be any more issues with that machine.

jon

"Jonathan S. Keim" wrote:
> hello,
>
> i got a nameserver probe last night from a machine at 207.173.126.101,
> which turns out to be:
>
> Name:    ns2.50megs.com
> Address:  207.173.126.101
>
> it looks like someone has compromised this machine and is scanning the
> princeton network with it.  most likely it's the result of a bind
> exploit,
> thanks to our friends at ADM.  look for the directory
> /var/named/ADMROCKS,
> or some variant, and that will *generally* tell you if the intruder
> entered via bind.
>
> i've enclosed the relevant log entries from linux 2.2.x ipchains for
> your
> convenience.  if you could look into this problem, i'd be very
> appreciative.  good luck catching the script kiddie.
>
> jon
>
> relevant entry
> ----------------
> Jan 16 08:33:33 law kernel: Packet log: input DENY eth0 PROTO=17
> 207.173.126.101:1704 140.180.145.238:53 L=55 S=0x00 I=65400 F=0x0000
> T=49 (#16)