[2298] in linux-security and linux-alert archive
[linux-security] Re: Security problems in bind -- persisting?
daemon@ATHENA.MIT.EDU (Kyle B Ferrio)
Thu Jan 13 18:44:21 2000
Date: Wed, 12 Jan 2000 13:29:44 -0700 (MST)
From: Kyle B Ferrio <kyle@U.Arizona.EDU>
To: Graham Higgins <gjh@bel-epa.com>
cc: linux-security@redhat.com
In-Reply-To: <v04210104b49684f15b6a@[194.105.65.9]>
Message-ID: <Pine.A41.4.10.10001121321020.26186-100000@lucia.u.arizona.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Resent-From: linux-security@redhat.com
In reference to your question, below, yes.
I had a 6.x box hit with the ADMROCKS attack just last night.
Tripwire (actually aide) found a few problems.
The attacker installed two users in passwd. One was a superuser.
The attacker also installed some header files that (at least appear to)
originate from a SSH distribution.
Also, he crashed caching-only nameserver completely. If he had left named
running, I probably would not have noticed so soon. As it happened, he
was inside for probably less than twenty minutes, and I noticed 20 minutes
later when I needed DNS.
Unfortunately, his last act was to rm -rf /var/log so I don't know
exactly how he got root. Definitely a remote exploit, though.
Does anyone have advice on mirorring syslog to "secret" locations,
preferably encrypted? Losing logs makes it hard to do a risk assessment.
For all I know, I'm still vulnerable after updating bind.
Kyle Ferrio
On Mon, 3 Jan 2000, Graham Higgins wrote:
> restarting, I noticed a directory:
>
> drwxr-xr-x 2 root root 1024 Jan 2 23:47 ADMROCKS/
>
> had appeared and logcheck reported:
>
> **Unmatched Entries**
> Jan 2 23:47:59 bel bash[346]: Remote execution attempt from 194.102.200.1
>
> I can't find any traces of activity in wtmp (but with a shell spawned
> from named, I'm not likely to am I?) and tripwire isn't reporting
> anything untoward in the directories it is assigned to check.
>
> Nevertheless, I am a bit spooked. Has anyone else seen this attack?
> Cheers,
>
> Graham Higgins
> --------------
> Bel EPA Bristol, UK.
> http://bel-epa.com
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe:
> mail -s unsubscribe linux-security-request@redhat.com < /dev/null
>
=======================================================================
Kyle Ferrio Research Associate Optical Sciences Center
Office: (520) 626-9354 Lab: (520) 621-8227 University of Arizona
GPG Fingerprint: 2549 C01E 9D12 4B3F 1FEC 46C5 8D81 402C 04BE 3813
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
