From: Robert Johannes <[EMAIL PROTECTED]>
> I missed the details about your system; could you please re-iterate, if
> you already did, the details of the box that was hacked into? For exable,
> what daemons does that machine typically run? What versions of
> software: e.g, os version, daemon versions, and other versions you can
> think of. How many accounts on it? How do you think the hacker was able
> to break into your system?
The system is RedHat6.1, and was running bind 8.1.2, which is
vulnerable to what appears to be a fairly common rootkit. The
exploit installs new copies of several system utilities that
do not report the existence of the backdoor it installs on
port 37331 (in my case anyway), which is handled by the hacker
installed in.sys app.
It also upgrades named to a non-vulnerable version.
I read somewhere (CERT?) recently that a scan of DNS
servers shows nearly 50% are still open to this exploit.
More info about this attack at the CERT website.
DK
