Posted: 2/4/2003 9:01:19 AM EDT
|
If anyone is interested, I isolated some scripts and executables. I emailed the person(s) ISP to alert them. If I can do something legally I will. Here is a link to the files, be sure to read the README.txt file for details: [url]http://67.112.173.90/linuxhacks[/url] |
|
There's no README.txt... So, someone hacked your BIND? Well, no offense, but your techno group does not sound too technical. You need to switch to djdns and dump BIND. Also you need to block the advertising of your version of BIND so Script Kiddies don't target you. You also need to properly configure your firewall so there is not outbound traffic from the DNS server other than UDP port 53. If you need help, let me know. I use to work as a System Administrator at Amazon.com, so I kinda know what I am doing. You need to put this in your named.conf file: options { directory "/var/named"; version "You must be kidding!?"; }; |
|
Well, I thought it would be a good idea to: 1) Isolate the server from the network 2) Reboot it and observe what it does. More specifically, what processes it starts or doesn't start. What daemons it runs or doesn't run. Also, I watched for delays as each one started - this gave me a clue as to where the hack was installed. or there I went throught the corresponding directories/config files and searched for hidden files or alterations to scripts. |
|
Quoted: There's no README.txt... So, someone hacked your BIND? Well, no offense, but your techno group does not sound too technical. You need to switch to djdns and dump BIND. Also you need to block the advertising of your version of BIND so Script Kiddies don't target you. You also need to properly configure your firewall so there is not outbound traffic from the DNS server other than UDP port 53. If you need help, let me know. I use to work as a System Administrator at Amazon.com, so I kinda know what I am doing. You need to put this in your named.conf file: options { directory "/var/named"; version "You must be kidding!?"; }; Thanks for the tip. A few questions: 1) Does djdns run on Linux? I haven't heard of it before. 2) The POS firewall/router I had just wouldn't work right when I tried to configure it to pass port 53. Any suggestions on a hardware firewall that doesn't cost an arm and a leg. It doesn't have to be too cheap but not several thousands of dollars either. |
|
Quoted: So, someone hacked your BIND? Well, no offense, but your techno group does not sound too technical. At the moment, no it isn't. The Name server is an old box. I've got some new P4's that i'm going to put online later. I mainly wanted to do some web pages but am hosting a few now. I also planned to use it for my electronics, automotive and music ventures. Its just in the interin I need to do a few things first. |
|
Seeing as how I am using Bind, thanks for tip. Got any other tips for locking up a Solaris server? Quoted: There's no README.txt... So, someone hacked your BIND? Well, no offense, but your techno group does not sound too technical. You need to switch to djdns and dump BIND. Also you need to block the advertising of your version of BIND so Script Kiddies don't target you. You also need to properly configure your firewall so there is not outbound traffic from the DNS server other than UDP port 53. If you need help, let me know. I use to work as a System Administrator at Amazon.com, so I kinda know what I am doing. You need to put this in your named.conf file: options { directory "/var/named"; version "You must be kidding!?"; }; |
|
[B]FYI[/B] djbdns (not djdns) can be found at the following locations: Dr. Bernstein's (the softwares author) site: [url]http://cr.yp.to/djbdns.html[/url] The djbdns organization: [url]http://www.djbdns.org[/url] It installed easily on my RedHat Linux 8.0 system but its not online so I couldn't test it. |