|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: rooted by r0x - from address 212.177.241.127
From: spookah . (k_liner
HOTMAIL.COM)Date: Tue Apr 11 2000 - 18:34:55 CDT
- Next message: Mike: "route oddness"
- Previous message: Michael Kluskens: "dsnhack.pl"
- Maybe reply: spookah .: "Re: rooted by r0x - from address 212.177.241.127"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have seen and had a copy of bscan, which is actually an a, b, or c class
broadcast scanner. A new 'bscan' may have been released which scans for
boxes vulnerable to the NXT exploit, but not that I am personally aware of.
spookah
Network Technician
Linux Administrator
>From: Brian McKinney <rizzdoggNOC.THEWORKS.COM>
>Reply-To: Brian McKinney <rizzdoggNOC.THEWORKS.COM>
>To: INCIDENTSSECURITYFOCUS.COM
>Subject: Re: rooted by r0x - from address 212.177.241.127
>Date: Mon, 10 Apr 2000 14:13:04 -0700
>
>I have seen some scanners out there that scan subnets for the version of
>bind thats vuln. I believe it was called bscan, and infact the "cracked by
>brizilians thread" that had the rootkit attached to it had the bscan util
>in
>it. I might be wrong though it was quite a while ago when i saw it.
>
>RizzDogg
>
>-----Original Message-----
>From: - - [mailto:slamONEMAIN.COM]
>Sent: Thursday, April 06, 2000 4:38 PM
>To: INCIDENTSSECURITYFOCUS.COM
>Subject: Re: rooted by r0x - from address 212.177.241.127
>
>
>I don't think a lame server would be a very good indication of an NXT
>attempt. Certainly it does say this if you have been compromised but it
>could say that 15 other times that day because some people don't configure
>things properly. I assume that a seasoned hacker would most likely use
>"DIG" or some other probe to find the version of bind they are looking for.
>
>
>
>Any other thoughts?
>
>Adam Skulker.
>
>
> > -----Original Message-----
> > From: Incidents Mailing List [mailto:INCIDENTSSECURITYFOCUS.COM]On
> > Behalf Of Dave Booth
> > Sent: Tuesday, April 04, 2000 8:45 AM
> > To: INCIDENTSSECURITYFOCUS.COM
> > Subject: Re: rooted by r0x - from address 212.177.241.127
> >
> >
> > On Sat, 1 Apr 2000, karthik krishnamurthy wrote:
> >
> > > since many people are discussing the bind nxt bug i
> > > thought i might add another symptom of a NXT attack.
> > > before named crashes it logs the nameserver and the
> > > domain used for the attack.
> > > lame nameserver on domain xxx.xxx.xxx
> > > serever xx.xxx.xx
> > > or something to that effect which is what steve has
> > > found in his logs.
> >
> > Is this sort of log entry indicative of an attempt at exploiting the NXT
> > bug, even if one is running a version of bind that is supposedly not
> > vulnerable? I've seen a lot of discussion of the footprints of a
> > successful exploit but not a lot of info on how to detect unsuccessful
> > attempts (IMHO almost as important to monitor as when they actually get
> > in) This of course assumes that it relates to a nameserver that isnt
>truly
> > lame for the domain in question....
> >
> > --
> > Dave Booth
> > dboothfibres.net
> >
>+-----------------------------------------------------------------------+
> > | All men dream but not equally. Those that dream by night in the dusty
>|
> > | recesses of their minds wake to find it was vanity but the dreamers
>|
> > | of the day are dangerous men, for they may act their dreams with open
>|
> > | eyes to make it possible.
>|
> > | T E Lawrence
>|
> >
>+-----------------------------------------------------------------------+
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
- Next message: Mike: "route oddness"
- Previous message: Michael Kluskens: "dsnhack.pl"
- Maybe reply: spookah .: "Re: rooted by r0x - from address 212.177.241.127"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]