Has anyone seen anything posted on the bell.ca RDNS compromise?
 

I'm just curious because I can't find anything about it with Google. It seems that on and off over the past couple of days the reverse DNS for bell.ca has been compromised and crackers manipulated it to resolve to various insulting domain names.

I'm wondering if anyone has seen a news article on it or has any information on how the attack was executed.

Nothing specifically, but it wouldn't surprise me considering the list of high-profile servers that got cracked with the do brk() exploit. Deb, Gentoo, FSF again. Those really don't worry me as much as the ones we're not hearing about.

I was guessing it may have been a combination of exploiting rsync(d) to gain local access and do brk() to get root, but that was just a guess. The rsync port does not appear to be open (at least to my IP), but I did notice that two VeritasNetbackup ports are open on each of the authoritative servers for their in-addr.arpa zones. I'm wondering if those are actually Netbkp, or perhas a trojan backdoor?

I haven't been able to guess the OS since I'm using OpenBSD on my firewall and it scrubs packets (nmap thinks the remote OS is OpenBSD because of the packet scrubbing).

And yes, I suspect some major corporations will be compromised by the do brk() vulnerability. It will be interesting to see if they release any information to California consumers (since they're supposed to notify consumers if confidential and identifying information is suspected of being viewed).

I also think the do_brk vulnerability in combination with rsync will lead to several compromises. However those systems should be compromised and just shut down so the admins take more care about reading BugTraq or VulnWatch and properly secure their systems :-)