Re: Bind8 exploit and a deleted partition map

[Derek Kwan <dkwan () KWAN CA>]

Well after my box was rooted and trashed (all drives were trashed clean!)
few yrs back (via nfs buffer overflow bug)

1) Backup your Servers!
2) Keep your software version updated
3) Delete any software (esp. daemon) if you don't plan to use them
4) Monitor your syslogs (atleast take a peek at it few times a day)
5) Back up your servers (did I said that before?)

In case you get rooted, don't panic. Make sure you have your boot disk
handy. On Linux box, you can have a boot disk w/ drivers for external
drives (e.g. SparQ) and you can do a dd if=/dev/hda of/mnt/SparQ/hda.img
to take a snapshot the disk image... after that maybe you can try to do a
grep on the date maybe you can find a few last line of your syslog....

Install Tripwire to protect your files like your inetd.conf or
ssh_random_seed...

Just my 2 cents

 \|/ _____ \|/    ***************************************************
 "@'/ , . \`@"    This e-mail is send with 100% recyclable electrons.
 /_| \___/ |__\   ***************************************************
    \___U_/       Derek () KWAN ca


On Mon, 12 Feb 2001, Matteo,Marc A. wrote:

> Hi all,
>
> I was asked to look at a Red Hat box that had been owned, presumably via
> Bind 8.2.2.
>
> Limited forensics had already been done -- /etc/inetd.conf and
> /etc/services had been messed with to add a shell at port 54321 and it
> looked like the /etc/ssh_random_seed file had been messed with as well
> (tho that's hard to prove).
[snip...]