Fwd: massive bind8 exploitation - t0rnkit8
Daniel Roesen
droesen at entire-systems.com
Mon Feb 12 19:07:36 UTC 2001
For those who didn't cover there backs yet...
----- Forwarded message from Roberto <cinini at TERRA.ES> -----
From: Roberto <cinini at TERRA.ES>
To: INCIDENTS at SECURITYFOCUS.COM
Subject: massive bind8 exploitation - t0rnkit8
Date: Mon, 12 Feb 2001 14:01:57 -0000
Hola again !
It has become to my attention that there is massive
bind8.2(p3/p5/p7) exploitation taking place, and
tornkit8 being used. There are already worms for this
on many underground irc channels floating around for
users to use..
Here are some things to look out for tornkit8 and also
if ur bind has been upgraded to 8.2.3-REL chances
are its the automated worm thats been there...
also u might want to look for dir /lib/ldd.so.. which
exists on some machines tornkit8 is installed.. there
is hidden files tks (sniffer) tkp(parser) and tkps(ssh
snifferlog), also one ssh port being used a lot is 47017
(default tornkit) as well as 47889 keep ur eyes open
for these..
More info as i get it !
Sincerly,
Roberto
----- End forwarded message -----
Best regards,
Daniel
--
----------------------------------------------------------------------
entire systems GmbH | droesen at entire-systems.com
Internet Services | Phone: +49 2624 9550-55
Ferbachstrasse 12 | Fax: +49 2624 9550-20
D-56203 Hoehr-Grenzhausen | http://www.entire-systems.com/
----------------------------------------------------------------------
More information about the bind-users
mailing list