REREATEDLY (3 times within two weeks)

"Hackers" (a misused term) have relentlessly tried and have suceeded in breaking into my name server.

I was able to find some of the clues they left behind despite their attempts to delete RRs (records).

They would break in through BIND and somehow start RLOGIN despite the fact that I haven't enabled RLOGIN.

I can't even login as ROOT from the console.

Here is the the IP address and information I was able to obtain using NSLOOKUP:

nslookup
Default Server:  dns1-la.lsan03.pacbell.net
Address:  206.13.29.12

> exit
[wg1:~] ihlewis% nslookup -d 211.73.237.6
;; res_nmkquery(QUERY, 12.29.13.206.in-addr.arpa, IN, PTR)
------------
Got answer:
   HEADER:
       opcode = QUERY, id = 16549, rcode = NOERROR
       header flags:  response, want recursion, recursion avail.
       questions = 1,  answers = 1,  authority records = 2,  additional = 2

   QUESTIONS:
       12.29.13.206.in-addr.arpa, type = PTR, class = IN
   ANSWERS:
   ->  12.29.13.206.in-addr.arpa
       name = dns1-la.lsan03.pacbell.net
       ttl = 3777 (1h2m57s)
   AUTHORITY RECORDS:
   ->  29.13.206.in-addr.arpa
       nameserver = NS1.PBI.net
       ttl = 68575 (19h2m55s)
   ->  29.13.206.in-addr.arpa
       nameserver = NS2.PBI.net
       ttl = 68575 (19h2m55s)
   ADDITIONAL RECORDS:
   ->  NS1.PBI.net
       internet address = 206.13.28.11
       ttl = 67806 (18h50m6s)
   ->  NS2.PBI.net
       internet address = 206.13.29.11
       ttl = 130699 (1d12h18m19s)

------------
Server:  dns1-la.lsan03.pacbell.net
Address:  206.13.29.12

;; res_nmkquery(QUERY, 6.237.73.211.in-addr.arpa, IN, PTR)
------------
Got answer:
   HEADER:
       opcode = QUERY, id = 16550, rcode = NOERROR
       header flags:  response, auth. answer, want recursion, recursion avail.
       questions = 1,  answers = 1,  authority records = 2,  additional = 2

   QUESTIONS:
       6.237.73.211.in-addr.arpa, type = PTR, class = IN
   ANSWERS:
   ->  6.237.73.211.in-addr.arpa
       name = Host5-237-6.pagic.net
       ttl = 14400 (4H)
   AUTHORITY RECORDS:
   ->  237.73.211.in-addr.arpa
       nameserver = ns1.pagic.net
       ttl = 14400 (4H)
   ->  237.73.211.in-addr.arpa
       nameserver = ns2.pagic.net
       ttl = 14400 (4H)
   ADDITIONAL RECORDS:
   ->  ns1.pagic.net
       internet address = 210.63.92.1
       ttl = 300 (5M)
   ->  ns2.pagic.net
       internet address = 210.63.92.2
       ttl = 300 (5M)

------------
Name:    Host5-237-6.pagic.net
Address:  211.73.237.6

This ISP is in Taipei, China.

They learned from their last attempt as they allowed the name server to continue to resolve lookups whereas last time they disabled everything.

I am in the process of building a replacement server as this one is old and I have had a hard time upgrading the OS on it due to some oddities of that particular computer.

I'm sick of being hacked and wish I had some form of retribution. Arrrrrrrrrhhhhhh!!!!

Hopefully I will have the other items within a week or two. I'm await shipment of some parts (hurry, hurry, hurry) and some extra cash.

I wouldn't put this past the government there to sponsor such attacks. If I did that to them they would be ready to haul me to court or jail. Hmmmmm.......nevermind.

Now, if I could just get this firewall configured properly.....

Um.......I kind of like cheese crackers.

Sgtar15

Dude, that is soooooooo over my head!  We should send a CIA team in after these crackers though.

[b]HACKED BY CHINESE![/B]

What are you running, Linux? I thought it was impervious to hackers!!!! [:D]

LOL,

Yeah i'm running Linux but the problem is with the version of BIND that i'm running.

Briefly, BIND is the program that is run on name servers to resolve domain names.

e.g.- Humans know what www.lewistechnogroup.com is but computers only understand numbers (addresses) so the name server would tell your computer that the above name has the address of 67.112.173.90. You can type the address in your browser and get the same results as typing the name.

Back to BIND. I was running an UPDATED version of bind before the first attack, it took some work to get it to work on that computer but I did get it to work. Well even that version of BIND had some bug which is exploited by hackers. So, here we go again....

The new server i'm building won't have these problems but its still annoying nevertheless.

If I weren't running BIND (which you have to run on a DOMAIN NAME SERVER) this wouldn't be a problem.

I dont know about all your tech talk you posted, but there HAS to be a way to hack back.
I'm sure there are people on this board that will remain namless that might IM you. And by the way Taipai is in Taiwan, not China.

Good Luck! I hope you get these A$$40le$!

DOH! My mistake...

Basically what they are doing is crashing a program (BIND) which runs with a high privledge level then they somehow run another program (RLOGIN = remote login) which allows them to login to a command prompt (like a DOS prompt). At this point they can run commands and programs. They probably have set it up so they can upload their software to the server. This is done so they can attack other computers from the one they hacked. It helps cover their tracks but they made a mistake which I happen to see, so I know where the attack came from.

Haha... I also was thinking the same thing.  

----

Result for 211.73.237.6
% [whois.apnic.net node-2]
% How to use this server        http://www.apnic.net/db/
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      211.73.224.0 - 211.73.255.255
netname:      PAGIC-TW
descr:        PAGIC.net Inc.
descr:        13F,86,Hsin Tai Wu Road Section 1,
descr:        HsiChih City, Taipei Taiwan 221
country:      TW
admin-c:      CL470-AP
tech-c:       HL257-AP
mnt-by:       MAINT-TW-TWNIC
changed:      [email protected] 20010817
status:       ALLOCATED PORTABLE
source:       APNIC

person:       Carven Lee
address:      Pagic net Inc.13F, No.86, Sec 1, Hsin Tai Wu Rd., Hsi-Chih City. Taipei, Taiwan
country:      TW
phone:        +886 2 8691 2324
fax-no:       +886 2 8691 2521
e-mail:       [email protected]
nic-hdl:      CL470-AP
mnt-by:       MAINT-TW-TWNIC
changed:      [email protected] 20010814
source:       APNIC

person:       Heman Lu
address:      PAGIC.net,Inc.
address:      13F, 86, Sec.1, Hsin Tai Wu Rd, Hsichih
address:      Taipei County Taiwan 221
country:      TW
phone:        +886-2-2696-4800
fax-no:       +886-2-2696-4513
e-mail:       [email protected]
nic-hdl:      HL257-AP
mnt-by:       MAINT-TW-TWNIC
changed:      [email protected] 20020610
source:       APNIC

-----

Yeah, i'm definately going to email that ISp about this!!!!

How are they getting through your router or is this server on the DMZ or also acting as a proxy?

[austin powers] Woopdie do, What does it all mean Bazzle? [/austin powers]

What your seeing is nothing new. You must have just started monitoring because this is very common. Many attacks originate from the former USSR, Florida and NY. Most of the attacks from Florida are on a Road Runner segment.

If you are running Linux use Portsentry and Tripwire to help protect your system. In addition to upgrading BIND as that has been a problem for years.

A firewall most likely would not have helped becase you would still allow port 53 UDP access which would still make your system vulnerable to BIND attacks. The only way to ensure your system is secure is to blow it away and reload.

Actually i monitor my system regularly.

I have had one previous attack over a year ago and stopped it cold.

Its just that I have had three break-ins over the past two weeks.

I'm just getting tired of reloading everything (I do keep backups).

While they may crash BIND if things are configured correctly I can deny the use of FTP making it harder for them to upload things onto my server.