Peter McCarthy wrote:
> but I am unable to locater any file called bindname.log on my system ??
Nope, because they've put in a rootkit that stops you seeing it.
> so the obvious thing is I have to reinstall (RH 6.2) but is their any way I
> can figure out how they are getting in and stop them in the short term ?
You are a naughty boy.
The latest (and I think earlier) RH 6.2 version of bind does not run as
root. If you don't run bind as root then they can't get root on your
machine via bind.
Update to the latest RH 6.2 udpates, after you rebuild:
http://mirror.aarnet.edu.au/linux/redhat/updates/6.2/i386/
http://mirror.aarnet.edu.au/linux/redhat/updates/6.2/i586/
http://mirror.aarnet.edu.au/linux/redhat/updates/6.2/i686/
http://mirror.aarnet.edu.au/linux/redhat/updates/6.2/noarch/
There you will find bind-8.2.3-0.6.x.i386.rpm which is not vulnerable.
Don't run it as root (i.e. if you use the standard /etc/rc.d/init.d/named
startup script it will drop root privileges).
----+------------------------+--------------------------
Del | mailto:[EMAIL PROTECTED] | Christchurch, New Zealand
----+------------------------+--------------------------
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
