Possible System Compromise
Martin McCormick
martin at dc.cis.okstate.edu
Sat Feb 10 14:04:22 UTC 2001
The system that got queried and complained about the
source is
atlas.pba.ucy.ac.cy
Address: 194.42.5.65
; <<>> DiG 8.3 <<>> at 139.78.100.1 atlas.pba.ucy.ac.cy
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; atlas.pba.ucy.ac.cy, type = A, class = IN
;; ANSWER SECTION:
atlas.pba.ucy.ac.cy. 23h56m46s IN A 194.42.5.65
;; AUTHORITY SECTION:
pba.UCY.AC.CY. 7h23m14s IN NS nicosia.ccs.UCY.AC.CY.
pba.UCY.AC.CY. 7h23m14s IN NS zeus.cc.UCY.AC.CY.
;; ADDITIONAL SECTION:
nicosia.ccs.UCY.AC.CY. 4h33m48s IN A 194.42.6.97
zeus.cc.UCY.AC.CY. 4h33m48s IN A 194.42.1.1
;; Total query time: 3 msec
;; FROM: dc.cis.okstate.edu to SERVER: default -- 139.78.100.1
;; WHEN: Sat Feb 10 06:35:38 2001
;; MSG SIZE sent: 37 rcvd: 146
I also have tried the allwhois.com site for the domain of
ucy.ac.cy and that query complained as if it is non-existent. I
probably entered something wrong on that site as everything else
seems to produce something. At the bottom is the dig for the
root server for ucy.ac.cy.
In the time I have been in charge of our domain name
servers I have never seen a problem like this before. There is
an ultra-high worry about system integrity in many parts, these
days, a lot of it valid concern, but I think I have helped beat
this dead horse beyond recognition. I still am not sure why this
happened, but it seems to be isolated. At our site, as with
many, a complaint about any unusual activity sparks lots of
questions and I want to be able to assure many different parties
that we are behaving properly and have not been trashed or
hacked.
; <<>> DiG 8.3 <<>> at i.root-servers.net ucy.ac.cy
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; ucy.ac.cy, type = A, class = IN
;; AUTHORITY SECTION:
ucy.ac.cy. 1D IN SOA zeus.cc.ucy.ac.cy. noc.zeus.cc.ucy.ac.cy. (
2001013101 ; serial
1D ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
;; Total query time: 206 msec
;; FROM: dc.cis.okstate.edu to SERVER: default -- 139.78.100.1
;; WHEN: Sat Feb 10 07:20:59 2001
;; MSG SIZE sent: 27 rcvd: 75
Martin McCormick
More information about the bind-users
mailing list