[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] [RaQ3] A tale about an OS update, bind and a worm
- Subject: [cobalt-users] [RaQ3] A tale about an OS update, bind and a worm
- From: "Per M Knutsen" <per.knutsen@xxxxxxxxxxxxxx>
- Date: Sun Sep 2 16:56:58 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Here's a lesson for ya'all:
Just before hitting bed late yesterday I decided to check on an email from
my co-lo tech. In addition to the answer I was expecting, he was noting
that some other users on the LAN had been complaining that my server was
generating unwanted DNS traffic and that logs were showing that it was is
attempting to reach multicast addresses. "No good!" the techie said,
threatening to cut the line unless I took action ASAP.
Let me make it straight: this is the first time I've ever been hacked (erm,
knowing I've been hacked...). I was preparing for impending doom. I soon
noticed several processes running with names such as w0rmssscanner and
w0rmserver. What came next was perhaps somewhat of a greater surprise.
It turned out the worm had already been described. A profile was posted
here:
http://list.cobalt.com/pipermail/cobalt-security/2001-June/002210.html
The culprit was a bind worm, which was kind of weird as I had secured
myself against the bind exploit long time ago. Reading the profile above, I
realized I had done the same mistake of updating my RaQ3 with the OS Update
4.0 .pkg, which effectively downgraded my hardened bind to an exploitable
one. The "update" was applied a few days ago. The funny thing is that I
also applied the bind update about 10 minutes later! In other words, in the
10 minutes it took me to apply the bind update after the OS update, some
mother**** had already planted his seeds in my RaQ!
10 minutes!!!
I feel so cheated.
Per M Knutsen
http://nethut.no/~pknutsen
If a RaQ crashes in the woods and there is
nobody there to see it, does it really crash?