Is this a New kind of DNS Breakin....

Mark.Andrews at iengines.com Mark.Andrews at iengines.com
Tue Dec 7 21:36:53 UTC 1999 

> 
> This is not a DNS break in.

	How can you deduce that?

	I don't believe RH have put out a new CD with BIND 8.2.2-P3
	or greater on it.  So yes named *could* have been the entry
	path.

	BIND 8.2 also generated the error message below if named was not
	shutdown gracefully.  I can't remember which version is on the
	RH 6.0 CD.  The error is only produced when there is an active
	named process in the current release BIND 8.2.2-P5.

	Mark


> This is an obvious  backdoor.
> It is almost certain that all that machines on this lan have been
> compomised.
> 
> Start searching.
> 
> It is also certain that there will be a sniffer somewhere.
> Try searching for all files modified recently and you will find the sniffers
> log.
> 
> Good Luck
> 
> Pandelis
> 
> 
> 
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On Behalf
> Of webmaster
> Sent: Tuesday, December 07, 1999 6:49 PM
> To: comp-protocols-dns-bind at moderators.isc.org
> Subject: Is this a New kind of DNS Breakin....
> 
> 
> Hi -
> 
> RH6.0 and named as it came from the CD...
> 
> I was trying to restart my DNS and I kept getting the following error
> 
> ctl_server: bind: Address already in use
> 
> But when running a "ps ax" there were no other "named"'s running. Upon
> closer examination I found 1 "inetd" envoking a program called
> "/tmp/bob" When I looked there WAS a /tmp/bob and all that this thing
> contained was the single line of text
> 
> /bin/sh sh -i
> 
> To ME this looks liked someone trying (or succeeding) in envoking an
> interactive /bin/sh session. When I "kill -9"'ed this "inetd"
> envocation, and re-tried to start named, the program came up fine.
> 
> Since this has happened I have been finding quite a few other things are
> "a miss" on some of my machines, the oddest is that on one of the
> machines (a Sun Solais Box) now people can FTP and Telnet in with thier
> account and valid password as well as thier account and thier valid
> password PLUS ANYHTING ELSE (i.e. account "bob" valid password "cat"
> would work with "bob" and "catABC" and "cat1234567" etc.)
> 
> I'm looking into where to even look, but the DNS/inetd thing I felt was
> worth bringing to the attention to "The Net"
> 
> 
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at iengines.com

More information about the bind-users mailing list