Possible System Compromise

Martin McCormick martin at dc.cis.okstate.edu
Sat Feb 10 14:04:22 UTC 2001


	The system that got queried and complained about the
source is

atlas.pba.ucy.ac.cy
Address:  194.42.5.65



; <<>> DiG 8.3 <<>> at 139.78.100.1 atlas.pba.ucy.ac.cy 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;	atlas.pba.ucy.ac.cy, type = A, class = IN

;; ANSWER SECTION:
atlas.pba.ucy.ac.cy.	23h56m46s IN A	194.42.5.65

;; AUTHORITY SECTION:
pba.UCY.AC.CY.		7h23m14s IN NS	nicosia.ccs.UCY.AC.CY.
pba.UCY.AC.CY.		7h23m14s IN NS	zeus.cc.UCY.AC.CY.

;; ADDITIONAL SECTION:
nicosia.ccs.UCY.AC.CY.	4h33m48s IN A	194.42.6.97
zeus.cc.UCY.AC.CY.	4h33m48s IN A	194.42.1.1

;; Total query time: 3 msec
;; FROM: dc.cis.okstate.edu to SERVER: default -- 139.78.100.1
;; WHEN: Sat Feb 10 06:35:38 2001
;; MSG SIZE  sent: 37  rcvd: 146

	I also have tried the allwhois.com site for the domain of
ucy.ac.cy and that query complained as if it is non-existent.  I
probably entered something wrong on that site as everything else
seems to produce something.  At the bottom is the dig for the
root server for ucy.ac.cy.

	In the time I have been in charge of our domain name
servers I have never seen a problem like this before.  There is
an ultra-high worry about system integrity in many parts, these
days, a lot of it valid concern, but I think I have helped beat
this dead horse beyond recognition.  I still am not sure why this
happened, but it seems to be isolated.  At our site, as with
many, a complaint about any unusual activity sparks lots of
questions and I want to be able to assure many different parties
that we are behaving properly and have not been trashed or
hacked.



; <<>> DiG 8.3 <<>> at i.root-servers.net ucy.ac.cy 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;	ucy.ac.cy, type = A, class = IN

;; AUTHORITY SECTION:
ucy.ac.cy.		1D IN SOA	zeus.cc.ucy.ac.cy. noc.zeus.cc.ucy.ac.cy. (
					2001013101	; serial
					1D		; refresh
					1H		; retry
					1W		; expiry
					1D )		; minimum


;; Total query time: 206 msec
;; FROM: dc.cis.okstate.edu to SERVER: default -- 139.78.100.1
;; WHEN: Sat Feb 10 07:20:59 2001
;; MSG SIZE  sent: 27  rcvd: 75

Martin McCormick


More information about the bind-users mailing list