sounds like you've been had. or your server. Might have been a bind
exploit, buffer overflow or something, though it's also likely that the
intrusion occurred in another module and the intruder is making the rest
of your machine his.
In the past, when my hosts have been had, I've:
-copied /etc, /home, and so forth off the system to capture what I can of
configs and data.
-reloaded the OS, usually with formats of /root, /boot, /{whatever} that
is system, not user data.
-make sure the obvious stuff is patched. bind, sendmail, etc...
lately, the best attacks on my systems have included:
-root hacks that leave me with a tcpd of >360k in size. Obviously his
custom module, backdoors and all.
-hacked named, giving him all that too.
-various cute little modules, like something called chkn... This I found
when I started getting logs complaining it wasn't running... And then the
intruder tried to fix it. Turns out, this crew wanted to run irc bots on
my system. now i remember why i left irc.
-a device, something like /dev/ttyq something showed up. Never was there
before. This host I ended up reformatting, he was in it like a tick.
good luck. root hacks suck. this sounds like a root hack.
Rick
On Wed, 2 Aug 2000
marek@foundmoney.com wrote:
> This is what I found in my dns debug. scenewhores.com does not belong to
>
> us nor do we have anything to do with them or this kind of industry.
> >From what I can tell they tried to use our dns server to service this
> domain name ?
>
>
> datagram from [210.113.231.145].1668, fd 22, len 35
> req: nlookup(v.scenewhores.com) id 53786 type=1 class=1
> req: found 'v.scenewhores.com' as 'com' (cname=0)
> evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
> 965197248.000000000, inter 0.000000000)
> forw: forw -> [198.41.0.4].53 ds=5 nsid=15407 id=53786 79ms retry 4sec
> datagram from [198.41.0.4].53, fd 5, len 130
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15407
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> ;; v.scenewhores.com, type = A, class = IN
> SCENEWHORES.COM. 2D IN NS NS1.SUIDREWT.ORG.
> SCENEWHORES.COM. 2D IN NS NS2.SUIDREWT.ORG.
> NS1.SUIDREWT.ORG. 2D IN A 195.13.119.253
> NS2.SUIDREWT.ORG. 2D IN A 195.13.119.254
> resp: nlookup(v.scenewhores.com) qtype=1
> resp: found 'v.scenewhores.com' as 'scenewhores.com' (cname=0)
> evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
> 965197248.000000000, inter 0.000000000)
> sysquery: send -> [198.41.0.4].53 dfd=5 nsid=2176 id=0 retry=965197248
> evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
> 965197248.000000000, inter 0.000000000)
> sysquery: send -> [198.41.0.4].53 dfd=5 nsid=25109 id=0 retry=965197248
> evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
> 965197248.000000000, inter 0.000000000)
> datagram from [198.41.0.4].53, fd 5, len 180
> evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
> 965197248.000000000, inter 0.000000000)
> datagram from [198.41.0.4].53, fd 5, len 180
> datagram from [210.113.231.145].1668, fd 22, len 35
> req: nlookup(v.scenewhores.com) id 53786 type=1 class=1
> req: found 'v.scenewhores.com' as 'scenewhores.com' (cname=0)
> evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
> 965197253.000000000, inter 0.000000000)
> forw: forw -> [195.13.119.253].53 ds=5 nsid=43213 id=53786 3ms retry
> 4sec
> evSelectFD(ctx 0x80d2740, fd 7, mask 0x1, func 0x8086e98, uap
> 0x4013004c)
> IP/TCP connection from [216.208.41.78].4355 (fd 7)
> datagram from [195.13.119.253].53, fd 5, len 84
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43213
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; v.scenewhores.com, type = A, class = IN
> v.scenewhores.com. 1W IN NS doh.scenewhores.com.
> doh.scenewhores.com. 1W IN A 216.224.8.100
> resp: nlookup(v.scenewhores.com) qtype=1
> resp: found 'v.scenewhores.com' as 'v.scenewhores.com' (cname=0)
> evSetTimer(ctx 0x80d2740, func 0x805aed8, uap 0, due
> 965197254.000000000, inter 0.000000000)
> resp: forw -> [216.224.8.100].53 ds=5 nsid=28566 id=53786 19ms
> evSelectFD(ctx 0x80d2740, fd 8, mask 0x1, func 0x8086e98, uap
> 0x40130008)
> IP/TCP connection from [216.224.8.100].1466 (fd 8)
> evDeselectFD(fd 8, mask 0x1)
> evSelectFD(ctx 0x80d2740, fd 8, mask 0x1, func 0x8086e98, uap
> 0x40130090)
> evDeselectFD(fd 8, mask 0x1)
> update type 30: 6507 bytes is too much data
>
> And this is when the DNS server went down. Any idea on what was the
> purpose of this ?
>
> Iv already upgraded to bind 2.5pre9. But I am sure he/she/they will be
> back
>
> BTW when I start the name server another high UDP port seems to be open,
> any idea why this is ?
>
>
>
> -
> : send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.rutgers.edu
>
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu
