This happened to me a couple of weeks ago. As far as I could
make out, access was gained, as someone else has suggested,
through a BIND exploit (there are a number of critical ones
floating around affecting versions 8.2.2-P7 and earlier).
See http://www.isc.org/products/BIND/bind-security.html.
Solution: rebuild then upgrade BIND to at least to 8.2.3.
Also, consider tightening packet filtering: for example, if
you just forward single external DNS, only accept incoming
domain packets from that IP address.
My suspicion is that the exploit only attempted to send out
the email and thus, as in my case, essentially failed as the
message didn’t get out. Still, root access is root access and
so it’s a lot to take on faith. Painful though it may be, the
only peace of mind is through a rebuild.
Sean.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> David
> Sent: Tuesday, 20 March 2001 7:47 AM
> To: Vince Meissner
> Cc: [EMAIL PROTECTED]; Wayne Innes
> Subject: Re: [SLUG] Whats happening here
>
>
>
> which begs the question about how they got in....
>
> Which distro, kernel, etc, etc
>
> sounds like the sort of thing everyone needs to know
>
> On Tue, 20 Mar 2001, Vince Meissner wrote:
>
> > I had this same thing about 3 weeks ago. (27th Feb, 12:27pm)
> >
> > Basically, you've been hacked.
> > I found on my machine, it had sent a copy of /etc/passwd,
> /etc/shadow, plus
> > numerous other config/security files.
> > Also, you'll probably find there's a portscan program running from your
> > computer now. Actively looking for other hosts to compromise.
> > The results of this also get emailed to that china.com address.
> > There was also a directory in the /dev directory which had all
> the hack tools.
> >
> > These were built on the system. Check /usr/src
> >
> > First indication on my system was that my internet traffic was
> flatlining in
> > the Outward direction ( quite noticible on a modem connection).
> > Also, the Syslog stopped at the same time.
> > Check /etc/inet.d there was a line in there for a telnet on port 1008.
> > (Since I rebuilt, I have noticed a frequent attempt to access
> port 1008 from
> > host 209.57.90.3)
> > Also, /etc/hosts.deny was erased, /etc/hosts.allow had ALL :
> 0.0.0.0 added
> > as did the appropriate files in the sendmail configuration.
> > ie. they set the machine up to be a open relay.
> >
> > It appears on my system they may have done something with Bind.
> > It went offline at the same time that the attack occured.
> >
> > I took the safe option and pulled the plug and rebuilt the
> machine on a new
> > HDD.
> > Once the system has been compromised, you can't trust anything on it.
> >
> > Hope this helps.
> >
> > -Vince
> >
> >
> >
> >
> > Wayne Innes wrote:
> >
> > > Hi,
> > >
> > > Yesterday I received this in my email :-
> > >
> > > The original message was received at Mon, 19 Mar 2001 15:52:14 +1100
> > > from root@localhost
> > >
> > > ----- The following addresses had permanent fatal errors -----
> > > [EMAIL PROTECTED]
> > >
> > > ----- Transcript of session follows -----
> > > ... while talking to smtp.idx.com.au.:
> > > >>> MAIL From:<[EMAIL PROTECTED]> SIZE=2358
> > > <<< 501 <[EMAIL PROTECTED]>... Sender domain must exist
> > > 501 [EMAIL PROTECTED] Data format error
> > >
> > > <<SNIP>>
> >
> > >
> > >
> > > I have the feeling I should be worried, can anyone who knows
> more than me
> > > shed any light on whats happened.
> > >
> > > --
> > > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> > > More Info: http://slug.org.au/lists/listinfo/slug
> >
> >
> > --
> > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> > More Info: http://slug.org.au/lists/listinfo/slug
> >
>
>
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug
>
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
