one last thing about BIND - if I ipchains block it... ipchains -A input -i (external interface) -s 0.0.0.0/0 -p TCP 53 -j DENY -l ipchains -A input -i (external interface) -s 0.0.0.0/0 -p UDP 53 -j DENY -l does it seem to safely stop BIND attacks so I can use BIND on this machine to supply DNS to the computers on the internal network? Craig > -----Original Message----- > From: plug-discuss-admin@lists.plug.phoenix.az.us > [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Mike > Sheldon > Sent: Tuesday, March 28, 2000 7:13 PM > To: plug-discuss@lists.plug.phoenix.az.us > Subject: RE: violated > > > They may have initially rooted you using a well-known exploit in BIND. If > you're not running 8.2.2 patchlevel 3 or better (current is patchlevel 5) > you are very definitely vulnerable. This might explain the > "damage" done to > BIND. > > Michael J. Sheldon > Internet Applications Developer > Phone: 480.699.1084 > http://www.desertraven.com/ > PGP Key Available on Request > > -----Original Message----- > From: plug-discuss-admin@lists.PLUG.phoenix.az.us > [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Craig > White > Sent: Tuesday, March 28, 2000 17:29 > To: plug-discuss@lists.PLUG.phoenix.az.us > Subject: violated > > > below is a message I sent to abuse@rogers.home.com > > I post it in case anyone has comment - I note that once this > person finished > their playing, the shell was damaged and I couldn't use emacs or > any normal > editor...bind was toasted. > > I suppose you can whip me for not stopping telnet services but I > hope we can > get beyond that. > > Craig > > > would like to see you stop this person > > IP Address... 24.113.4.113 > > > > This person entered unauthorized - damaged the shells on at least > > 2 computers that I administrate, destroyed the BIND process and I > > may not be smart enough to figure whatever else they did so I > > have stopped telnet services and have rebuilt the systems. > > > > > > syslog entries on barney.azapple.com (24.221.62.42 -7GMT) > > ------------------------------------ > > Mar 26 04:19:39 barney in.telnetd[2022]: connect from 24.113.4.113 > > Mar 26 04:19:56 barney login: LOGIN ON 0 BY hc FROM > > cr872028-a.poco1.bc.wave.home.com > > Mar 26 04:21:59 barney pam_console[2023]: getpwnam failed for hc > > > > securelog entries on barney.azapple.com > > --------------------------------------- > > Mar 26 04:19:39 barney in.telnetd[2022]: connect from 24.113.4.113 > > Mar 26 04:19:56 barney login: LOGIN ON 0 BY hc FROM > > cr872028-a.poco1.bc.wave.home.com > > Mar 26 04:21:59 barney pam_console[2023]: getpwnam failed for hc > > > > > > syslog entries on mail.despinsprinting.com (24.221.16.195 -7GMT) > > ------------------------------------------ > > Mar 26 16:00:20 mail named[533]: Lame server on > > 'lsolss.larenco.com' (in 'LARENCO.com'?): [24.221.30.3].53 > > Mar 26 16:00:28 mail named[533]: Lame server on > > 'lsolss.larenco.com' (in 'LARENCO.com'?): [204.210.2.110].53 > > 'VNS1.RRSAN.com' > > Mar 26 16:01:38 mail PAM_pwdb[3098]: (login) session opened for > > user hc by (uid=0) > > Mar 26 16:02:04 mail PAM_pwdb[3110]: (su) session opened for user > > hantu by hc(uid=758) > > > > securelog entries on mail.despinsprinting.com > > --------------------------------------------- > > Mar 26 16:01:29 mail in.telnetd[3096]: connect from 24.113.4.113 > > Mar 26 16:01:38 mail login: LOGIN ON 0 BY hc FROM > > cr872028-a.poco1.bc.wave.home.com > > Mar 26 16:08:07 mail ipop3d[3149]: connect from 192.168.1.52 > > Mar 26 16:08:56 mail pam_console[3098]: getpwnam failed for hc > > > > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss