[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] Re: Security problems in bind -- persisting?

From: Kyle B Ferrio <kyle U Arizona EDU>
To: Graham Higgins <gjh bel-epa com>
Cc: linux-security redhat com
Subject: [linux-security] Re: Security problems in bind -- persisting?
Date: Wed, 12 Jan 2000 13:29:44 -0700 (MST)

In reference to your question, below, yes.
I had a 6.x box hit with the ADMROCKS attack just last night.

Tripwire (actually aide) found a few problems.

The attacker installed two users in passwd.  One was a superuser. 

The attacker also installed some header files that (at least appear to)
originate from a SSH distribution.  

Also, he crashed caching-only nameserver completely.  If he had left named
running, I probably would not have noticed so soon.  As it happened, he
was inside for probably less than twenty minutes, and I noticed 20 minutes
later when I needed DNS.

Unfortunately, his last act was to rm -rf /var/log so I don't know
exactly how he got root.  Definitely a remote exploit, though.
Does anyone have advice on mirorring syslog to "secret" locations,
preferably encrypted?  Losing logs makes it hard to do a risk assessment.
For all I know, I'm still vulnerable after updating bind.

Kyle Ferrio

On Mon, 3 Jan 2000, Graham Higgins wrote:

> restarting, I noticed a directory:
> 
> drwxr-xr-x   2 root     root         1024 Jan  2 23:47 ADMROCKS/
> 
> had appeared and logcheck reported:
> 
> **Unmatched Entries**
> Jan  2 23:47:59 bel bash[346]: Remote execution attempt from 194.102.200.1
> 
> I can't find any traces of activity in wtmp (but with a shell spawned 
> from named, I'm not likely to am I?) and tripwire isn't reporting 
> anything untoward in the directories it is assigned to check.
> 
> Nevertheless, I am a bit spooked. Has anyone else seen this attack?
> Cheers,
> 
> Graham Higgins
> --------------
> Bel EPA Bristol, UK.
> http://bel-epa.com
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe:
>   mail -s unsubscribe linux-security-request redhat com < /dev/null
> 

=======================================================================
Kyle Ferrio               Research Associate    Optical Sciences Center 
Office: (520) 626-9354    Lab: (520) 621-8227   University of Arizona
GPG Fingerprint: 2549 C01E 9D12 4B3F 1FEC  46C5 8D81 402C 04BE 3813

References:
- Security problems in bind -- persisting?
  - From: Graham Higgins

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]