[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] DNS/BIND Attacks

Subject: Re: [cobalt-users] DNS/BIND Attacks
From: "Arsalan Mahmud" <arsalan@xxxxxxxxxxxx>
Date: Thu Feb 22 03:57:10 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I just wanted to point out that there is a binary named "netstat" which can
be used to tract a process running on a specific port, so that's the use of
HIDING the ssh server ?


Arsalan



----- Original Message -----
From: "Wayne Sagar" <wsagar@xxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, February 22, 2001 12:58 PM
Subject: [cobalt-users] DNS/BIND Attacks


> This message goes out to you from a very tired individual who wonders just
what he got himself into with all this "self administered" RaQ stuff....
>
> The problem I described in earlier posts, where my first warning was a DNS
not working message from my system... then finding I could not telenet in
has proven to have been a BIND attack... this disrupts the DNS..  the system
still worked because the upstream provider's DNS was taking over and routing
the site and virtuals correctly...
>
> The theory on why you can't telnet in is the most scary part... the
crackers are installing a "fake telnet" server and guess what.. every time
you try to log in, it sends them your password...
>
> I'm currently in the process of taking my system back up from a totall new
restore, add all the patches install and adding *all* the virtuals... HUGE
message board archives and all right now.. just finally got my email server
running (one of those... "I'm not sure what-ta-hell I did's
butit'sworkingnow's")
>
> So word of warning to all of those I've seen message here over the past
few days that have the exact or similar symptoms as I did...
>
> You have but one option.. Recovery Disk... you HAVE to take the server
down and start over.. it's that simple. You can perhaps find a way back into
the system as root.. and you can "root" around for days trying to find all
that Mr. Cracker put in there (and maybe never find it) or.. you can take it
down, reformat the disk and do the recovery... Then at least, you are sure
that he's gone... for now...
>
> I will be sitting down with a security expert and attempting to close all
the holes that I am able to.. will be doing things quite differently and
just waiting for the next one to happen... hoping against hope that it does
not and glumly sitting here knowing it probably will...
>
> install SSH... do what someone else here suggested.. HIDE IT.. turn OFF
telnet and ftp... and cross my fingers... (I might even burn some incense
and pray for a while)
>
> I've had a lesson in reality this week.. denial will not stop Mr.
Cracker... he's out there, he ain't necessiarly smart.. he just knows where
to get the tools to do what he wants to... I think I'd gladly pay the money
for a separate server, donate to their cause and let them play with it till
their hearts are content if I could get some assurance they would leave the
one I have to spend the rest of the night and into the AM rebuilding
ALONE... I'm just a little guy trying to pull out a few bucks from my many
hours of hard work... this stuff makes me wonder if it is worth it!
>
> Wayne Sagar
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>

Follow-Ups:
- Re: [cobalt-users] DNS/BIND Attacks
  - From: elmer

References:
- [cobalt-users] DNS/BIND Attacks
  - From: Wayne Sagar

Prev by Date: Re:[cobalt-users] DNS/BIND Attacks
Next by Date: Re: [cobalt-users] Suggestion for Sun Cobalt Team
Previous by thread: [cobalt-users] DNS/BIND Attacks
Next by thread: Re: [cobalt-users] DNS/BIND Attacks

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index