|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: ADMROCKS, Bind exploit...strikes again...
From: Snehal Dasari (pavehawk
NAPALM.NET)Date: Sat Apr 08 2000 - 09:45:21 CDT
- Next message: Dave Booth: "Re: rooted by r0x - from address 212.177.241.127"
- Previous message: Jeffrey D. Carter: "Resolution on source IP address 169.254.* source addresses"
- Next in thread: Joel de la Garza: "Re: ADMROCKS, Bind exploit...strikes again..."
- Reply: Joel de la Garza: "Re: ADMROCKS, Bind exploit...strikes again..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
heh...apparently this exploit is getting around...
I'm fairly new to linux, but by no means a new user...
On what looks like Apr 1st (in Australia..my location) I was hacked (sorta)
by this very exploit, rather, my gateway/firewall was..
Apr 1 14:18:49 deathknight iplog[2521]: TCP: domain connection attempt from
207.44.243.39:3839
Apr 1 14:19:52 deathknight iplog[2521]: UDP: dgram to domain from
magik.nu:1190 (41 data bytes)
Apr 1 14:19:55 deathknight iplog[2521]: UDP: dgram to domain from
magik.nu:1190 (41 data bytes)
Apr 1 14:20:05 deathknight iplog[2521]: UDP: dgram to domain from
magik.nu:1190 (50 data bytes)
Apr 1 14:20:25 deathknight iplog[2521]: UDP: dgram to domain from
magik.nu:1190 (42 data bytes)
Apr 1 14:20:35 deathknight iplog[2521]: UDP: dgram to domain from
magik.nu:1190 (51 data bytes)
Apr 1 14:21:06 deathknight iplog[2521]: TCP: domain connection attempt from
207.44.243.39:3887
Apr 1 14:24:47 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1032 (42 data bytes)
Apr 1 14:24:48 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1032 (42 data bytes)
Apr 1 14:24:50 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1032 (51 data bytes)
Apr 1 14:24:51 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1032 (51 data bytes)
Apr 1 14:24:57 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1032 (35 data bytes)
Apr 1 14:24:58 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1032 (35 data bytes)
Apr 1 14:24:59 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1032 (44 data bytes)
Apr 1 14:25:01 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1032 (44 data bytes)
Apr 1 19:28:00 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1039 (30 data bytes)
Apr 1 19:28:00 deathknight iplog[2521]: UDP: dgram to domain from
207.44.243.39:1039 (30 data bytes)
Apr 3 06:12:41 deathknight iplog[2521]: TCP: port scan detected from
207.44.243.39
Apr 3 06:14:55 deathknight iplog[2519]: TCP: port scan mode expired for
207.44.243.39 - received a total of 1640 packets (65600 bytes).
This is all the information I could screen out of my logs...I'm writing this
as I am actually..checking/disinfecting (for lack of a better word at the
moment) this machine...
I dont know if they got access as I dont have telnet running and I use SSH1
on a port different to standard. Telnet is also blocked by a ipchains rule
set to reject all packets (inside or outside the firewall)...however, I am
unable to ascertain if they were able to get in...
Here's the wierd thing, I'm dialup....I've checked every possible log I've
got and I've got nothing until the 1st...atm, I'm just cleaning up files for
a reformat/reinstall so I can be 100% positive that this box is clear
Attached is the dump for named...if thats of any use...
Regards,
Snehal Dasari
- application/octet-stream attachment: named_dump.db
- Next message: Dave Booth: "Re: rooted by r0x - from address 212.177.241.127"
- Previous message: Jeffrey D. Carter: "Resolution on source IP address 169.254.* source addresses"
- Next in thread: Joel de la Garza: "Re: ADMROCKS, Bind exploit...strikes again..."
- Reply: Joel de la Garza: "Re: ADMROCKS, Bind exploit...strikes again..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]