Security Incidents mailing list archives
ADMROCKS, Bind exploit...strikes again...
From: pavehawk () NAPALM NET (Snehal Dasari)
Date: Sun, 9 Apr 2000 00:15:21 +0930
heh...apparently this exploit is getting around... I'm fairly new to linux, but by no means a new user... On what looks like Apr 1st (in Australia..my location) I was hacked (sorta) by this very exploit, rather, my gateway/firewall was.. Apr 1 14:18:49 deathknight iplog[2521]: TCP: domain connection attempt from 207.44.243.39:3839 Apr 1 14:19:52 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (41 data bytes) Apr 1 14:19:55 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (41 data bytes) Apr 1 14:20:05 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (50 data bytes) Apr 1 14:20:25 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (42 data bytes) Apr 1 14:20:35 deathknight iplog[2521]: UDP: dgram to domain from magik.nu:1190 (51 data bytes) Apr 1 14:21:06 deathknight iplog[2521]: TCP: domain connection attempt from 207.44.243.39:3887 Apr 1 14:24:47 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (42 data bytes) Apr 1 14:24:48 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (42 data bytes) Apr 1 14:24:50 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (51 data bytes) Apr 1 14:24:51 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (51 data bytes) Apr 1 14:24:57 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (35 data bytes) Apr 1 14:24:58 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (35 data bytes) Apr 1 14:24:59 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (44 data bytes) Apr 1 14:25:01 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1032 (44 data bytes) Apr 1 19:28:00 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1039 (30 data bytes) Apr 1 19:28:00 deathknight iplog[2521]: UDP: dgram to domain from 207.44.243.39:1039 (30 data bytes) Apr 3 06:12:41 deathknight iplog[2521]: TCP: port scan detected from 207.44.243.39 Apr 3 06:14:55 deathknight iplog[2519]: TCP: port scan mode expired for 207.44.243.39 - received a total of 1640 packets (65600 bytes). This is all the information I could screen out of my logs...I'm writing this as I am actually..checking/disinfecting (for lack of a better word at the moment) this machine... I dont know if they got access as I dont have telnet running and I use SSH1 on a port different to standard. Telnet is also blocked by a ipchains rule set to reject all packets (inside or outside the firewall)...however, I am unable to ascertain if they were able to get in... Here's the wierd thing, I'm dialup....I've checked every possible log I've got and I've got nothing until the 1st...atm, I'm just cleaning up files for a reformat/reinstall so I can be 100% positive that this box is clear Attached is the dump for named...if thats of any use... Regards, Snehal Dasari <HR NOSHADE> <UL> <LI>application/octet-stream attachment: named_dump.db </UL>
Current thread:
- ADMROCKS, Bind exploit...strikes again... Snehal Dasari (Apr 08)
- Re: ADMROCKS, Bind exploit...strikes again... Joel de la Garza (Apr 10)
- dsnhack.pl Michael Kluskens (Apr 12)
- Port 27015 Bruce Kneece (Apr 12)
- Re: dsnhack.pl Roelof Temmingh (Apr 13)
- dsnhack.pl Michael Kluskens (Apr 12)
- Re: ADMROCKS, Bind exploit...strikes again... Joel de la Garza (Apr 10)