Security Incidents mailing list archives
Re: Name server probe from NS2.50megs.com
From: jonkeim () PRINCETON EDU (Jonathan S. Keim)
Date: Mon, 17 Jan 2000 23:07:22 +0000
just a clarification: i already sent this to the abuse people at 50megs.com, and got a prompt reply. there shouldn't be any more issues with that machine. jon "Jonathan S. Keim" wrote:
hello, i got a nameserver probe last night from a machine at 207.173.126.101, which turns out to be: Name: ns2.50megs.com Address: 207.173.126.101 it looks like someone has compromised this machine and is scanning the princeton network with it. most likely it's the result of a bind exploit, thanks to our friends at ADM. look for the directory /var/named/ADMROCKS, or some variant, and that will *generally* tell you if the intruder entered via bind. i've enclosed the relevant log entries from linux 2.2.x ipchains for your convenience. if you could look into this problem, i'd be very appreciative. good luck catching the script kiddie. jon relevant entry ---------------- Jan 16 08:33:33 law kernel: Packet log: input DENY eth0 PROTO=17 207.173.126.101:1704 140.180.145.238:53 L=55 S=0x00 I=65400 F=0x0000 T=49 (#16)
Current thread:
- Name server probe from NS2.50megs.com Jonathan S. Keim (Jan 16)
- Re: Name server probe from NS2.50megs.com Jonathan S. Keim (Jan 17)