LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-05-2003, 11:31 PM   #1
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Has anyone seen anything posted on the bell.ca RDNS compromise?


I'm just curious because I can't find anything about it with Google. It seems that on and off over the past couple of days the reverse DNS for bell.ca has been compromised and crackers manipulated it to resolve to various insulting domain names.

I'm wondering if anyone has seen a news article on it or has any information on how the attack was executed.
 
Old 12-06-2003, 12:21 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Nothing specifically, but it wouldn't surprise me considering the list of high-profile servers that got cracked with the do brk() exploit. Deb, Gentoo, FSF again. Those really don't worry me as much as the ones we're not hearing about.
 
Old 12-06-2003, 01:10 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Original Poster
Rep: Reputation: 76
I was guessing it may have been a combination of exploiting rsync(d) to gain local access and do brk() to get root, but that was just a guess. The rsync port does not appear to be open (at least to my IP), but I did notice that two VeritasNetbackup ports are open on each of the authoritative servers for their in-addr.arpa zones. I'm wondering if those are actually Netbkp, or perhas a trojan backdoor?

I haven't been able to guess the OS since I'm using OpenBSD on my firewall and it scrubs packets (nmap thinks the remote OS is OpenBSD because of the packet scrubbing).

And yes, I suspect some major corporations will be compromised by the do brk() vulnerability. It will be interesting to see if they release any information to California consumers (since they're supposed to notify consumers if confidential and identifying information is suspected of being viewed).

Last edited by chort; 12-06-2003 at 01:12 AM.
 
Old 12-06-2003, 07:45 AM   #4
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
I also think the do_brk vulnerability in combination with rsync will lead to several compromises. However those systems should be compromised and just shut down so the admins take more care about reading BugTraq or VulnWatch and properly secure their systems :-)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"set bell-style none" doesn't silence my bell. JordanH Ubuntu 7 04-22-2014 10:19 AM
phpBB Compromise chris_yumm Linux - Security 6 07-22-2005 12:54 AM
Security Compromise apache Linux - Security 16 08-07-2004 10:29 PM
aterm: display bell and audio bell hallamigo Linux - Software 4 05-02-2004 12:00 AM
Configure rDNS andy18 Linux - Networking 0 11-20-2003 04:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration