Is this a New kind of DNS Breakin....

[webmaster]

Hi -

RH6.0 and named as it came from the CD...

I was trying to restart my DNS and I kept getting the following error

ctl_server: bind: Address already in use

But when running a "ps ax" there were no other "named"'s running. Upon
closer examination I found 1 "inetd" envoking a program called
"/tmp/bob" When I looked there WAS a /tmp/bob and all that this thing
contained was the single line of text

/bin/sh sh -i

To ME this looks liked someone trying (or succeeding) in envoking an
interactive /bin/sh session. When I "kill -9"'ed this "inetd"
envocation, and re-tried to start named, the program came up fine.

Since this has happened I have been finding quite a few other things are
"a miss" on some of my machines, the oddest is that on one of the
machines (a Sun Solais Box) now people can FTP and Telnet in with thier
account and valid password as well as thier account and thier valid
password PLUS ANYHTING ELSE (i.e. account "bob" valid password "cat"
would work with "bob" and "catABC" and "cat1234567" etc.)

I'm looking into where to even look, but the DNS/inetd thing I felt was
worth bringing to the attention to "The Net"