[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Bind exploit, RAQ3i
- Subject: [cobalt-users] Bind exploit, RAQ3i
- From: Jim Hunter <jshunter@xxxxxxxxxxxxxxx>
- Date: Thu Mar 29 16:31:01 2001
- Organization: Net+Effects, Inc.
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
This is preliminary information on an apparently new exploit of bind.
The configuration hacked was a RAQ3i running the latest version of the
OS and all released updates: We are running a primary DNS server on the
RAQ3i. The hacker sent email to root describing the process followed:
----- Original Message -----
From: <huckit@xxxxxxxxx>
To: <root@xxxxxxxxxxxxxxxxxx>
Sent: Thursday, March 29, 2001 11:57 PM
Subject: I am so sorry!Your hosts was hacked!
> Hello!Administrator:
> I am sorry.
> Your DNS server was hacked by my New variation of the ramen worm.
> I am bestrow your index.html files only for awoke you path the DNS
server.
> Please change your password and path the DNS server to version 9.
> And some backdoor in your system.
> Do this follow me.:)
> 1.
> kill the process of star.sh hack.sh scan.sh pscan ETC.
> 2.
> remove the /tmp/ramen.tgz
> 3.
> find the "/dev/.lib/star.sh" in the /etc/rc.d/rc.sysinit file and
remove
it.
> 4.
> find the "asp stream tcp nowait root /sbin/asp " in the
/etc/inetd.conf
file and remove it.
> 5.
> find the "10008 stream tcp nowait root /bin/sh sh" in the
/etc/inetd.conf
file and remove it.
> 6.
> del the /dev/.lib
>
> ok.
> Now,You removed the 1i0n worm.
> Don't forget to restar yous server.
> :)
>
> GoodLuck!
>
> Lion
> ************************************
> *î?ÂÍÆ?ö¡°Ö?»ªµØÍ?¡±
> http://map.china.com
>
The RAQ3i is on the DMZ of a Sonicwall Pro. The folowing is a portion
of the SonicWall logs showing the attempts:
03/29/2001 11:25:45.448 The cache is full; too many open connections;
some
will be dropped 64.170.8.10, 1420, DMZ 157.40.0.72, 53, WAN
03/29/2001 11:30:28.480 The cache is full; too many open connections;
some
will be dropped 64.170.8.10, 2190, DMZ 165.19.24.61, 53, WAN
03/29/2001 11:32:26.512 The cache is full; too many open connections;
some
will be dropped 64.170.8.10, 2763, DMZ 193.35.0.74, 53, WAN
03/29/2001 11:37:13.496 The cache is full; too many open connections;
some
will be dropped 64.170.8.10, 3898, DMZ 189.66.24.156, 53, WAN
03/29/2001 11:39:11.800 The cache is full; too many open connections;
some
will be dropped 64.170.8.10, 4329, DMZ 148.72.0.80, 53, WAN
03/29/2001 11:43:55.512 The cache is full; too many open connections;
some
will be dropped 64.170.8.10, 1478, DMZ 40.49.24.139, 53, WAN
03/29/2001 11:44:28.512 Failed to resolve name 0.0.0.0 0.0.0.0
pop.net.effects.com
====================================
To recover we forced a re-boot by a graceful power down, our UPS is
remotely controlled, and restored the system from our tape backup.
As we gather further info we will post it. We also took the temporary
measure of closing more of the access through the firewall, until a
patch is released.