[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] DNS/BIND Attacks

Subject: [cobalt-users] DNS/BIND Attacks
From: Wayne Sagar <wsagar@xxxxxxxx>
Date: Thu Feb 22 00:04:05 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

This message goes out to you from a very tired individual who wonders just what he got himself into with all this "self administered" RaQ stuff....

The problem I described in earlier posts, where my first warning was a DNS not working message from my system... then finding I could not telenet in has proven to have been a BIND attack... this disrupts the DNS.. the system still worked because the upstream provider's DNS was taking over and routing the site and virtuals correctly...

The theory on why you can't telnet in is the most scary part... the crackers are installing a "fake telnet" server and guess what.. every time you try to log in, it sends them your password...

I'm currently in the process of taking my system back up from a totall new restore, add all the patches install and adding *all* the virtuals... HUGE message board archives and all right now.. just finally got my email server running (one of those... "I'm not sure what-ta-hell I did's butit'sworkingnow's")

So word of warning to all of those I've seen message here over the past few days that have the exact or similar symptoms as I did...

You have but one option.. Recovery Disk... you HAVE to take the server down and start over.. it's that simple. You can perhaps find a way back into the system as root.. and you can "root" around for days trying to find all that Mr. Cracker put in there (and maybe never find it) or.. you can take it down, reformat the disk and do the recovery... Then at least, you are sure that he's gone... for now...

I will be sitting down with a security expert and attempting to close all the holes that I am able to.. will be doing things quite differently and just waiting for the next one to happen... hoping against hope that it does not and glumly sitting here knowing it probably will...

install SSH... do what someone else here suggested.. HIDE IT.. turn OFF telnet and ftp... and cross my fingers... (I might even burn some incense and pray for a while)

I've had a lesson in reality this week.. denial will not stop Mr. Cracker... he's out there, he ain't necessiarly smart.. he just knows where to get the tools to do what he wants to... I think I'd gladly pay the money for a separate server, donate to their cause and let them play with it till their hearts are content if I could get some assurance they would leave the one I have to spend the rest of the night and into the AM rebuilding ALONE... I'm just a little guy trying to pull out a few bucks from my many hours of hard work... this stuff makes me wonder if it is worth it!

Wayne Sagar

Follow-Ups:
- Re: [cobalt-users] DNS/BIND Attacks
  - From: Arsalan Mahmud

Prev by Date: Re: [cobalt-users] RAQ3 rebuild from scratch
Next by Date: Re: [cobalt-users] RAQ 3i error: proftpd.rpmnew
Previous by thread: [cobalt-users] Cannot build virtual site alias database
Next by thread: Re: [cobalt-users] DNS/BIND Attacks

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index