DNS

Tue Apr 3 08:55:21 UTC 2001

FWIW. Sorry to barge-in.
This is one of the messages i got fr the Lion, himself. He said, that I
should upgrade to v9 since all v8 have overflows... Anyone can shed lights
on this, pls?

......................................................
Hello!Administrator:
I am sorry.
Your DNS server was hacked by my New variation of the ramen worm.
I am bestrow your index.html files only for awoke you path the DNS server.
Please change your password and path the DNS server to version 9.
And some backdoor in your system.
Do this follow me.:)
1.
kill the process of star.sh hack.sh scan.sh pscan ETC. 
2.
remove the /tmp/ramen.tgz
3.
find the "/dev/.lib/star.sh" in the /etc/rc.d/rc.sysinit file and remove it.
4.
find the "asp stream tcp nowait root /sbin/asp " in the /etc/inetd.conf file
and remove it.
5.
find the "10008 stream tcp nowait root /bin/sh sh" in the /etc/inetd.conf
file and remove it.
6.
del the /dev/.lib

ok.
Now,You removed the 1i0n worm.
Don't forget to restar yous server.
:)

GoodLuck!
Lion
......................................................

Indeed, he was able to modify the inetd.conf and create the /dev/.lib...

HTH.
-botp

> -----Original Message-----
> From: Brad Knowles [mailto:brad.knowles at skynet.be]
> Sent: Monday, April 02, 2001 8:45 PM
> To: Jim Reid
> Cc: Jimi Thompson; comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: DNS
> 
> 
> 
> At 1:31 PM +0100 4/2/01, Jim Reid wrote:
> 
> >  There are no known security flaws in BIND8.2.3. This of 
> course doesn't
> >  mean that there aren't any. :-) AFAIK the plan is that 
> another BIND8
> >  release will be made some day. The main feature of that will be an
> >  IPv6 capability in the resolver: ie resolv.conf can have an IPv6
> >  address in RFC2372 notation after a nameserver directive. 
> After that
> >  release BIND8 will be at the end of the road, apart from 
> security fixes.
> 
> 	My apologies.  I was under the impression that BIND 8.2.3 was 
> already the end-of-the-line for BIND 8, save major security fixes, 
> etc....
> 
> 	Thanks for clearing this up!
> 
> -- 
> Brad Knowles, <brad.knowles at skynet.be>
> 
> /*        efdtt.c  Author:  Charles M. Hannum 
> <root at ihack.net>          */
> /*       Represented as 1045 digit prime number by Phil 
> Carmody         */
> /*     Prime as DNS cname chain by Roy Arends and Walter 
> Belgers        */
> /*                                                            
>           */
> /*     Usage is:  cat title-key scrambled.vob | efdtt 
> >clear.vob        */
> /*   where title-key = "153 2 8 105 225" or other similar 
> 5-byte key    */
> 
> dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
> 