Lame server
Kevin Darcy
kcd at daimlerchrysler.com
Wed Apr 18 21:41:24 UTC 2001
numpty wrote:
> "Robert Eliassen" <jfjm at vktv.no> wrote in message
> news:97kq6l$o74 at pub3.rc.vix.com...
> >
> > On 16 Jan 2001 20:07:49 -0800, Kevin Darcy <kcd at daimlerchrysler.com>
> > wrote:
> >
> > >
> > >If you really, *truly* want to fix these problems, talk to the
> administrators
> > >of the uu.net, laserlink.net, verio.net, nuri.net, bellglobal.com and
> > >exodus.net nameservers, respectively, and get them to fix their
> nameservers,
> > >zone data and/or delegations.
>
> I have seen these errors occasionaly in my logs but on advice from several
> sources ignored them.
> However yesterday I was scanning through my firewall, snort and message logs
> and saw a failed attempt to log in via ftp with user root followed by a few
> seconds later 4 lame server errors from the same same IP as the attempted
> root login. The same IP had also port scanned me a few minutes previously.
> So is there a BIND exploit that would generate these errors in the logs?
Conceivably, if the remote host was cracked using a BIND exploit, the crackers
may have manipulated the zone files on that host, and, if done incorrectly,
that might explain the lame server errors.
More likely, though, the lame server messages and the fact that the remote host
was cracked -- via a BIND or some other kind of exploit -- are probably
symptomatic of a common cause: sloppy system administration.
- Kevin
More information about the bind-users
mailing list