OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: rooted by r0x - from address 212.177.241.127
From: Steve (steveSR-TECH.COM)
Date: Thu Mar 30 2000 - 18:31:13 CST

I was running a stock RedHat 6.1 box as a dns server and got rooted 3-20-2000.
I had the ADMROCKS directory in /var/named, so I know they used the "ADM named
8.2/8.2.1 NXT remote overflow" exploit to get in. Aparrently its a piece of
cake for any kid to get in this way. They also planted the trin00 DoS daemon,
but tried to compile the portscanner locally, but I had no development tools
installed. They modified a bunch of files, probably a "root kit". I felt like a
real dork for not paying attention to the secuity web sites more closely. Its
pretty well known now that Bind 8.2/8.2.1 are a snap to exploit. My suggestion
is to install the latest Bind patch level 5 along with openssh 1.2.3, and shut
everything else off you dont need.

Fortunately, the hackers interest wasnt in taking down my server, but to keep
the compromise low key, so it could serve as a remote attack point. Funny thing
is that I was having dns lookup problens that week, and thought my ethernet hub
was going bad, so I bought and installed a new one! Duh! Turns out that part of
the exploit is the symptom where Bind times out for 120 seconds during the
compromise. I noticed this about 6 times during the week. The hackers also left
some login entrys in /var/log/messages, but the source address was to another
dns server in china ( im in NJ ), so I figure they compromised that server
first.

Steve Redler IV, Sysadmin
stevesr-tech.com

"If Windows is the answer, I want the problems back!"