On Mon, 19 Feb 2001, Karl J. Runge wrote:
> Hi,
>
> This may be a false alarm, but in the past few days I've had a lot of
> people jiggling the port 53 (DNS) doorknob on my firewall. About as many
> in the last 4 days as I had in the previous 4 months...
>
> Makes me think the script kiddies have a exploit toy for the BIND/named
> vulnerability discussed at: http://www.cert.org/advisories/CA-2001-02.html
> and http://www.isc.org
>
> So... if you haven't updated your externally visible named(8) yet,
> now might be a good time.
Somebody did this to one of our nameservers at work last week. The server
hadn't yet been upgraded at the time, so they were able to install a
script in /var/named that then pulled over a rootkit into /tmp.
Fortunately, I had all our nameserver running named as an unprivileged
user, so they were unable to actually install the rootkit, and their
script died before deleting itself.
The script rcp'ed the rootkit from an IP address and user account, which I
passed on to my boss with the suggestion that he track this guy down and
sic our lawyers on him.
--
John Abreau / Executive Director, Boston Linux & Unix
ICQ#28611923 / AIM abreauj / Email [EMAIL PROTECTED]
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
