Bind Hack help

Bind Hack help

Post by Ted Stephen » Fri, 27 Apr 2001 08:37:48



Someone hacked into my system using "bind user" to e-mail my users and
network setting out. Anyone seen this hack? What can I do to prevent is?

--
Ted Stephens CNE, A+, CCA

 
 
 

Bind Hack help

Post by Michael Erskin » Fri, 27 Apr 2001 10:58:11


Did he get root?
-m-

> Someone hacked into my system using "bind user" to e-mail my users and
> network setting out. Anyone seen this hack? What can I do to prevent is?

> --
> Ted Stephens CNE, A+, CCA


 
 
 

Bind Hack help

Post by Ted Stephen » Fri, 27 Apr 2001 20:25:00


All he go way a list of the users with an "x" for the passwords. I am
running Caldera eD4 with the lastest patches.
--
Ted Stephens CNE, A+, CCA
 
 
 

Bind Hack help

Post by Luke Voge » Fri, 27 Apr 2001 21:31:58



> All he go way a list of the users with an "x" for the passwords. I am
> running Caldera eD4 with the lastest patches.
> --
> Ted Stephens CNE, A+, CCA

How do you know that is all he got away with?
Were you running bind as an unpriveleged user in a chroot jail?
Have you checked /etc/inetd.conf
have you checked the authenticity (md5sums) of ps ls find netstat
ifconfig login bash and just about every other system utility?
have you checked for "new" users?
have you checked the logs?
have you checked for rootkits?
have you checked for unusual cron activity?
have you checked for unusual sendmail activity?
have you checked for unusual /tmp files?
--
Regards
Luke
------
But it does move!
                -- Galileo Galilei
------
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

------
 
 
 

Bind Hack help

Post by . » Sat, 28 Apr 2001 10:47:24



Quote:> Someone hacked into my system using "bind user" to e-mail my users and
> network setting out.

Download a copy of the chkrootkit from
www.chkrootkit.org and run it against you
system.

Consider using "tripwire" in the future.
It takes the guesswork out of checking
the integrity of files should the need arise.

Quote:>Anyone seen this hack?

Not I.
 
 
 

Bind Hack help

Post by larv » Sat, 28 Apr 2001 17:02:22



>Consider using "tripwire" in the future.
>It takes the guesswork out of checking
>the integrity of files should the need arise.

also consider the fact that you need to have a write-only medium to
make tripwire usefull. i've seen tripwire write logs to a regular disk
which defeats the purpose somewhat :)

k