OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: rooted by r0x - from address 212.177.241.127
From: Dave Booth (dboothFIBRES.NET)
Date: Tue Apr 04 2000 - 10:45:14 CDT

On Sat, 1 Apr 2000, karthik krishnamurthy wrote:

> since many people are discussing the bind nxt bug i
> thought i might add another symptom of a NXT attack.
> before named crashes it logs the nameserver and the
> domain used for the attack.
> lame nameserver on domain xxx.xxx.xxx
> serever xx.xxx.xx
> or something to that effect which is what steve has
> found in his logs.

Is this sort of log entry indicative of an attempt at exploiting the NXT
bug, even if one is running a version of bind that is supposedly not
vulnerable? I've seen a lot of discussion of the footprints of a
successful exploit but not a lot of info on how to detect unsuccessful
attempts (IMHO almost as important to monitor as when they actually get
in) This of course assumes that it relates to a nameserver that isnt truly
lame for the domain in question.... 

--
Dave Booth
dboothfibres.net
+-----------------------------------------------------------------------+
| All men dream but not equally. Those that dream by night in the dusty |
| recesses of their minds wake to find it was vanity but the dreamers   |
| of the day are dangerous men, for they may act their dreams with open |
| eyes to make it possible.                                             |
|                             T E Lawrence                              |
+-----------------------------------------------------------------------+