OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ADMROCKS, Bind exploit...strikes again...
From: Joel de la Garza (joelSECURIFY.COM)
Date: Mon Apr 10 2000 - 16:08:48 CDT

The exploit has been out for a while now. What has occured is that
someone has written a nice little how-to that can be found at:

http://www.hack.co.za/daem0n/named/NXT-Howto.txt

It makes for a nice read.
cheers,
Joel

Snehal Dasari wrote:
>
> heh...apparently this exploit is getting around...
>
> I'm fairly new to linux, but by no means a new user...
>
> On what looks like Apr 1st (in Australia..my location) I was hacked (sorta)
> by this very exploit, rather, my gateway/firewall was..
>
> Apr 1 14:18:49 deathknight iplog[2521]: TCP: domain connection attempt from
> 207.44.243.39:3839
> Apr 1 14:19:52 deathknight iplog[2521]: UDP: dgram to domain from
> magik.nu:1190 (41 data bytes)
> Apr 1 14:19:55 deathknight iplog[2521]: UDP: dgram to domain from
> magik.nu:1190 (41 data bytes)
> Apr 1 14:20:05 deathknight iplog[2521]: UDP: dgram to domain from
> magik.nu:1190 (50 data bytes)
> Apr 1 14:20:25 deathknight iplog[2521]: UDP: dgram to domain from
> magik.nu:1190 (42 data bytes)
> Apr 1 14:20:35 deathknight iplog[2521]: UDP: dgram to domain from
> magik.nu:1190 (51 data bytes)
> Apr 1 14:21:06 deathknight iplog[2521]: TCP: domain connection attempt from
> 207.44.243.39:3887
> Apr 1 14:24:47 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1032 (42 data bytes)
> Apr 1 14:24:48 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1032 (42 data bytes)
> Apr 1 14:24:50 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1032 (51 data bytes)
> Apr 1 14:24:51 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1032 (51 data bytes)
> Apr 1 14:24:57 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1032 (35 data bytes)
> Apr 1 14:24:58 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1032 (35 data bytes)
> Apr 1 14:24:59 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1032 (44 data bytes)
> Apr 1 14:25:01 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1032 (44 data bytes)
>
> Apr 1 19:28:00 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1039 (30 data bytes)
> Apr 1 19:28:00 deathknight iplog[2521]: UDP: dgram to domain from
> 207.44.243.39:1039 (30 data bytes)
>
> Apr 3 06:12:41 deathknight iplog[2521]: TCP: port scan detected from
> 207.44.243.39
> Apr 3 06:14:55 deathknight iplog[2519]: TCP: port scan mode expired for
> 207.44.243.39 - received a total of 1640 packets (65600 bytes).
>
> This is all the information I could screen out of my logs...I'm writing this
> as I am actually..checking/disinfecting (for lack of a better word at the
> moment) this machine...
>
> I dont know if they got access as I dont have telnet running and I use SSH1
> on a port different to standard. Telnet is also blocked by a ipchains rule
> set to reject all packets (inside or outside the firewall)...however, I am
> unable to ascertain if they were able to get in...
>
> Here's the wierd thing, I'm dialup....I've checked every possible log I've
> got and I've got nothing until the 1st...atm, I'm just cleaning up files for
> a reformat/reinstall so I can be 100% positive that this box is clear
>
> Attached is the dump for named...if thats of any use...
>
> Regards,
> Snehal Dasari
>
> ------------------------------------------------------------------------
> Name: named_dump.db
> named_dump.db Type: unspecified type (application/octet-stream)
> Encoding: quoted-printable 

--
<!--So farewell hope, and with hope farewell fear,-->
<!--   Farewell remorse: all good to me is lost;  -->
<!--          Evil, be thou my good.              -->
<!-- - John Milton                                -->