Is this a New kind of DNS Breakin....
Pandelis Papanikolaoy
sysadmin at compulink.gr
Tue Dec 7 18:04:12 UTC 1999
This is not a DNS break in.
This is an obvious backdoor.
It is almost certain that all that machines on this lan have been
compomised.
Start searching.
It is also certain that there will be a sniffer somewhere.
Try searching for all files modified recently and you will find the sniffers
log.
Good Luck
Pandelis
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On Behalf
Of webmaster
Sent: Tuesday, December 07, 1999 6:49 PM
To: comp-protocols-dns-bind at moderators.isc.org
Subject: Is this a New kind of DNS Breakin....
Hi -
RH6.0 and named as it came from the CD...
I was trying to restart my DNS and I kept getting the following error
ctl_server: bind: Address already in use
But when running a "ps ax" there were no other "named"'s running. Upon
closer examination I found 1 "inetd" envoking a program called
"/tmp/bob" When I looked there WAS a /tmp/bob and all that this thing
contained was the single line of text
/bin/sh sh -i
To ME this looks liked someone trying (or succeeding) in envoking an
interactive /bin/sh session. When I "kill -9"'ed this "inetd"
envocation, and re-tried to start named, the program came up fine.
Since this has happened I have been finding quite a few other things are
"a miss" on some of my machines, the oddest is that on one of the
machines (a Sun Solais Box) now people can FTP and Telnet in with thier
account and valid password as well as thier account and thier valid
password PLUS ANYHTING ELSE (i.e. account "bob" valid password "cat"
would work with "bob" and "catABC" and "cat1234567" etc.)
I'm looking into where to even look, but the DNS/inetd thing I felt was
worth bringing to the attention to "The Net"
More information about the bind-users
mailing list