Security Incidents mailing list archives
Re: rooted by r0x - from address 212.177.241.127
From: dbooth () FIBRES NET (Dave Booth)
Date: Thu, 6 Apr 2000 17:12:07 -0700
On Thu, 6 Apr 2000, - - wrote:
I don't think a lame server would be a very good indication of an NXT attempt. Certainly it does say this if you have been compromised but it could say that 15 other times that day because some people don't configure things properly. I assume that a seasoned hacker would most likely use "DIG" or some other probe to find the version of bind they are looking for.
I agree, but I was thinking specifically of seeing this where subsequent checking revealed that the proper servers were not lame. I'm also not thinking about catching "seasoned" crackers either - If a real expert wants to smoke my systems I am quite certain that they will eventually succeed. Perhaps I should rephrase the question as "What sort of footprints will one see from the script-kiddies who try the exploit on every nameserver they can find, whether they succeed or not?" By catching those guys we can at least reduce the noise level to the point where we have a fighting chance to defend ourselves against the experts :) (yeah, I know, some hope....) -- Dave Booth dbooth () fibres net +-----------------------------------------------------------------------+ | All men dream but not equally. Those that dream by night in the dusty | | recesses of their minds wake to find it was vanity but the dreamers | | of the day are dangerous men, for they may act their dreams with open | | eyes to make it possible. | | T E Lawrence | +-----------------------------------------------------------------------+
Current thread:
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 01)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 04)
- <Possible follow-ups>
- Re: rooted by r0x - from address 212.177.241.127 - - (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Dave Booth (Apr 06)
- Re: rooted by r0x - from address 212.177.241.127 Brian McKinney (Apr 10)
- Re: rooted by r0x - from address 212.177.241.127 karthik krishnamurthy (Apr 11)
- Re: rooted by r0x - from address 212.177.241.127 spookah . (Apr 11)