>is curious as to how these folks did this. They exploited BIND 8.2.3
>to get in and logs indicated that someone was using a "back door" in
>Novell's NetWare proxy caches to perform the attack (since several
>different servers were used as "blinds" to get in).
There is AFAIK no known exploit to BIND 8.2.3 and I don't see why
anyone should use a "novell Netcache backdoor". If I'd want to hack
your box, I would use this:
% telnet vger.timpanogas.com 22
Connected to vger.timpanogas.com.
Escape character is '^]'.
Well known exploits downloadable at any of the better hacking sites.
>We are unable to determine just how they got in exactly, but they
>kept trying and created an oops in the affected code which allowed
>the attack to proceed.
Come on, you can't be _that_ blind. Either you didn't install all your
vendor recommended updates or you installed self rolled programs and
You even get connects on the telnet port (no daemon, though), so you
either have a hosts.allow (which _is_ spoofable) or a non-cleaned up
[x]inetd.conf which means you didn't harden your box for Internet
If you don't prepare your box for a hostile environment, you get
hit. First law of the Internet.
-- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer INTERMETA - Gesellschaft fuer Mehrwertdienste mbH email@example.com
Am Schwabachgrund 22 Fon.: 09131 / 50654-0 firstname.lastname@example.org D-91054 Buckenhof Fax.: 09131 / 50654-20 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to email@example.com More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/