RE: Pubstro rash
From: Alexandre Skyrme (alexandre.skyrme_at_ciphersec.com.br)
Date: 03/17/05
- Previous message: Steve Drees: "RE: Pubstro rash"
- In reply to: David Gillett: "Pubstro rash"
- Next in thread: Jeff Kell: "Re: Pubstro rash"
- Reply: Jeff Kell: "Re: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Thu, 17 Mar 2005 18:57:18 -0300
Greetings David,
Just a thought about your third comment...
As far as I'm concerned DNS just uses 53/TCP to do zone transfers. In case
your workstations are on a different network than your DNS servers it should
probably be safe to block incoming TCP connections to that network on such
port.
Tipically zone transfers would only be used by secondary servers to update
their own zones from its primary server.
Regards,
--
Alexandre Skyrme
Cipher - Segurança da Informação
+55-21-2542-6677
www.ciphersec.com.br
Esta mensagem eletrônica pode conter informações privilegiadas e/ou
confidenciais, portanto fica o seu receptor notificado de que qualquer
disseminação, distribuição ou cópia não autorizada é estritamente proibida.
Se você recebeu esta mensagem indevidamente ou por engano, por favor,
informe este fato ao remetente e a apague de seu computador imediatamente.
This e-mail message may contain legally privileged and/or confidential
information, therefore, the recipient is hereby notified that any
unauthorized dissemination, distribution or copying is strictly prohibited.
If you have received this e-mail message inappropriately or accidentally,
please notify the sender and delete it from your computer immediately.
-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu]
Sent: quarta-feira, 16 de março de 2005 22:59
To: incidents@securityfocus.com
Subject: Pubstro rash
A few times in the past, someone has managed to break
into one or another of our servers and set up an FTP server
("pubstro") on an unused high port. I'm facing something
similar at the moment, but there are some distinct differences:
1. The compromised hosts are workstations, not servers.
I'm hoping our field techs will be able to identify a
common OS/SP level amongst the compromised machines. No servers appear to
be affected.
2. There have been 14 of them in less than 5 days. OUCH.
3. Instead of a random high port, the installed FTP server
listens on port 53. Which I can't block, because DNS may
need to use it, right?
4. The FTP banners all claim to be the work of "Droppunx".
5. At this point, I don't know how the machines are getting
compromised initially. I'd appreciate if anyone else is seeing this pattern
and has some insight they'd care to share.
David Gillett
- Previous message: Steve Drees: "RE: Pubstro rash"
- In reply to: David Gillett: "Pubstro rash"
- Next in thread: Jeff Kell: "Re: Pubstro rash"
- Reply: Jeff Kell: "Re: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
