Has anyone seen anything posted on the bell.ca RDNS compromise?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Has anyone seen anything posted on the bell.ca RDNS compromise?
I'm just curious because I can't find anything about it with Google. It seems that on and off over the past couple of days the reverse DNS for bell.ca has been compromised and crackers manipulated it to resolve to various insulting domain names.
I'm wondering if anyone has seen a news article on it or has any information on how the attack was executed.
Nothing specifically, but it wouldn't surprise me considering the list of high-profile servers that got cracked with the do brk() exploit. Deb, Gentoo, FSF again. Those really don't worry me as much as the ones we're not hearing about.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Original Poster
Rep:
I was guessing it may have been a combination of exploiting rsync(d) to gain local access and do brk() to get root, but that was just a guess. The rsync port does not appear to be open (at least to my IP), but I did notice that two VeritasNetbackup ports are open on each of the authoritative servers for their in-addr.arpa zones. I'm wondering if those are actually Netbkp, or perhas a trojan backdoor?
I haven't been able to guess the OS since I'm using OpenBSD on my firewall and it scrubs packets (nmap thinks the remote OS is OpenBSD because of the packet scrubbing).
And yes, I suspect some major corporations will be compromised by the do brk() vulnerability. It will be interesting to see if they release any information to California consumers (since they're supposed to notify consumers if confidential and identifying information is suspected of being viewed).
I also think the do_brk vulnerability in combination with rsync will lead to several compromises. However those systems should be compromised and just shut down so the admins take more care about reading BugTraq or VulnWatch and properly secure their systems :-)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.