Do you need a connection to that DNS server? If not then add the host/domain
to /etc/hosts.deny depending on what you feel is appropriate, this also
assumes
that you are running unix and tcpd. If not you might put an acl on your
perimeter
router that drops packets from that host/domain. Well the admin you spoke
with can
at least turn the machine off as it is being used as a jumping point for
attacks.
You could also point the admin in the direction of
http://www.trustedsystems.com/
for a guide on securing NT, NetBUS and the recent IIS vulnerability eEye
disclosed.
Of course none of this means that they maybe able to do anything more for
you right
now but they should be better equipped to respond more effectively then
simply
shrugging and saying sorry in the future.
Cheers,
Cohen
At 11:22 AM 6/28/99 -0400, you wrote:
>Hi all
>
>Can anyone help me with this problem. Someone has run a portscan program
>and a brute force tool against one of my servers. I traced the intruder back
>to a dns server in Mexico. I called the company in Mexico and the admin
>there was very grateful that I had alerted him but he did not have a clue on
>how to stop it. He told me the DNS server was NT. So I would appreciate any
>help on this as I believe I have done all I can. Please correct me if I am
>wrong.
>
>Thanks
>
>Bryan
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
--
Cohen Liota
Information Security Specialist 416.815.3041 - v
Secure Computing Corporation 416.815.3001 - f
[EMAIL PROTECTED] http://www.securecomputing.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
