|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: rooted by r0x - from address 212.177.241.127
From: Brian McKinney (rizzdogg
NOC.THEWORKS.COM)Date: Mon Apr 10 2000 - 16:13:04 CDT
- Next message: karthik krishnamurthy: "Re: rooted by r0x - from address 212.177.241.127"
- Previous message: vventuraSIA.PT: "Re: Port 65535, again"
- Next in thread: karthik krishnamurthy: "Re: rooted by r0x - from address 212.177.241.127"
- Maybe reply: Brian McKinney: "Re: rooted by r0x - from address 212.177.241.127"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have seen some scanners out there that scan subnets for the version of
bind thats vuln. I believe it was called bscan, and infact the "cracked by
brizilians thread" that had the rootkit attached to it had the bscan util in
it. I might be wrong though it was quite a while ago when i saw it.
RizzDogg
-----Original Message-----
From: - - [mailto:slamONEMAIN.COM]
Sent: Thursday, April 06, 2000 4:38 PM
To: INCIDENTSSECURITYFOCUS.COM
Subject: Re: rooted by r0x - from address 212.177.241.127
I don't think a lame server would be a very good indication of an NXT
attempt. Certainly it does say this if you have been compromised but it
could say that 15 other times that day because some people don't configure
things properly. I assume that a seasoned hacker would most likely use
"DIG" or some other probe to find the version of bind they are looking for.
Any other thoughts?
Adam Skulker.
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTSSECURITYFOCUS.COM]On
> Behalf Of Dave Booth
> Sent: Tuesday, April 04, 2000 8:45 AM
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: Re: rooted by r0x - from address 212.177.241.127
>
>
> On Sat, 1 Apr 2000, karthik krishnamurthy wrote:
>
> > since many people are discussing the bind nxt bug i
> > thought i might add another symptom of a NXT attack.
> > before named crashes it logs the nameserver and the
> > domain used for the attack.
> > lame nameserver on domain xxx.xxx.xxx
> > serever xx.xxx.xx
> > or something to that effect which is what steve has
> > found in his logs.
>
> Is this sort of log entry indicative of an attempt at exploiting the NXT
> bug, even if one is running a version of bind that is supposedly not
> vulnerable? I've seen a lot of discussion of the footprints of a
> successful exploit but not a lot of info on how to detect unsuccessful
> attempts (IMHO almost as important to monitor as when they actually get
> in) This of course assumes that it relates to a nameserver that isnt truly
> lame for the domain in question....
>
> --
> Dave Booth
> dboothfibres.net
> +-----------------------------------------------------------------------+
> | All men dream but not equally. Those that dream by night in the dusty |
> | recesses of their minds wake to find it was vanity but the dreamers |
> | of the day are dangerous men, for they may act their dreams with open |
> | eyes to make it possible. |
> | T E Lawrence |
> +-----------------------------------------------------------------------+
- Next message: karthik krishnamurthy: "Re: rooted by r0x - from address 212.177.241.127"
- Previous message: vventuraSIA.PT: "Re: Port 65535, again"
- Next in thread: karthik krishnamurthy: "Re: rooted by r0x - from address 212.177.241.127"
- Maybe reply: Brian McKinney: "Re: rooted by r0x - from address 212.177.241.127"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]