Security Incidents mailing list archives
Re: FYI: Bind compromise
From: Jim Olsen <jim () CYBERJUNKEES COM>
Date: Wed, 21 Feb 2001 09:05:16 -0500
On Tuesday 20 February 2001 19:35, Phil Brutsche wrote:
I disagree that this is a BIND 8.2.3 exploit. If it was we probably would have heard about it on BugTraq by now :)
As do I, after now having more time to look into it. see my previous post in response to gabriel rosenkotter.
I've seen this rootkit (or, at least, this back door) on a RedHat box that had no business running, and was not running, BIND. They were, however, running all sorts of other services (it was RedHat 6.0, with *no* updates) that had nasty vulnerabilities. If you still have access to the compromised system, I think you'll find some files under /dev/sdc0/ (where the ssh backdoor gets its configuration).
/dev/sdc0/ is there with the appropriate config files, yes.
I think you will also find /usr/sbin/in.sysched. I have no idea what thatdoes; I've heard it may be a DDoS tool. I haven't been able to find anything conclusive about it on google, and nothing on packetstorm and SecurityFocus.
/usr/sbin/in.sysched is not there: [root@ns4 sbin]# ls in.* in.amdq in.ftpd in.ntalkd in.rlogind in.telnetd in.wuftpd in.comsat in.identd in.popper in.rshd in.tftpd in.xfingerd in.fingerd in.mtftpd in.rexecd in.talkd in.timed
What I know about it starts with the (way too short) thread at http://plug.skylab.org/200007/msg00526.html, and another (also way too short) at http://www.linux.ie/pipermail/ilug/2000-September/022860.html. As well as some stuff in Norwegian.
Thanks for the info. -- Jim Olsen Systems Administrator
Current thread:
- Re: FYI: Bind compromise, (continued)
- Re: FYI: Bind compromise Noel Rosenberg (Feb 20)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
- Re: Bind compromise Antonio Carlos Pina (Feb 21)
- Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jason Lewis (Feb 21)
- Re: FYI: Bind compromise Roberto (Feb 21)