Gee, I wonder what their idea of "resolved" is? Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -----Original Message----- From: plug-discuss-admin@lists.PLUG.phoenix.az.us [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Craig White Sent: Tuesday, March 28, 2000 19:21 To: plug-discuss@lists.PLUG.phoenix.az.us Subject: RE: violated indeed - and http://rogers.home.com/CustomerSupport/ shows that the specific IP address that violated me and the other on 3/26/00 was listed in their internet abuse on 3/23/00 and resolved on 3/24/00. They did a great job of stopping them didn't they? I didn't mind them crashing BIND as much as I minded the damage to the bash shell. I did reinstall and didn't reinstall BIND. Craig > -----Original Message----- > From: plug-discuss-admin@lists.plug.phoenix.az.us > [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Mike > Sheldon > Sent: Tuesday, March 28, 2000 7:13 PM > To: plug-discuss@lists.plug.phoenix.az.us > Subject: RE: violated > > > They may have initially rooted you using a well-known exploit in BIND. If > you're not running 8.2.2 patchlevel 3 or better (current is patchlevel 5) > you are very definitely vulnerable. This might explain the > "damage" done to > BIND. > > Michael J. Sheldon > Internet Applications Developer > Phone: 480.699.1084 > http://www.desertraven.com/ > PGP Key Available on Request > > -----Original Message----- > From: plug-discuss-admin@lists.PLUG.phoenix.az.us > [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Craig > White > Sent: Tuesday, March 28, 2000 17:29 > To: plug-discuss@lists.PLUG.phoenix.az.us > Subject: violated > > > below is a message I sent to abuse@rogers.home.com > > I post it in case anyone has comment - I note that once this > person finished > their playing, the shell was damaged and I couldn't use emacs or > any normal > editor...bind was toasted. > > I suppose you can whip me for not stopping telnet services but I > hope we can > get beyond that. > > Craig > > > would like to see you stop this person > > IP Address... 24.113.4.113 > > > > This person entered unauthorized - damaged the shells on at least > > 2 computers that I administrate, destroyed the BIND process and I > > may not be smart enough to figure whatever else they did so I > > have stopped telnet services and have rebuilt the systems. > > > > > > syslog entries on barney.azapple.com (24.221.62.42 -7GMT) > > ------------------------------------ > > Mar 26 04:19:39 barney in.telnetd[2022]: connect from 24.113.4.113 > > Mar 26 04:19:56 barney login: LOGIN ON 0 BY hc FROM > > cr872028-a.poco1.bc.wave.home.com > > Mar 26 04:21:59 barney pam_console[2023]: getpwnam failed for hc > > > > securelog entries on barney.azapple.com > > --------------------------------------- > > Mar 26 04:19:39 barney in.telnetd[2022]: connect from 24.113.4.113 > > Mar 26 04:19:56 barney login: LOGIN ON 0 BY hc FROM > > cr872028-a.poco1.bc.wave.home.com > > Mar 26 04:21:59 barney pam_console[2023]: getpwnam failed for hc > > > > > > syslog entries on mail.despinsprinting.com (24.221.16.195 -7GMT) > > ------------------------------------------ > > Mar 26 16:00:20 mail named[533]: Lame server on > > 'lsolss.larenco.com' (in 'LARENCO.com'?): [24.221.30.3].53 > > Mar 26 16:00:28 mail named[533]: Lame server on > > 'lsolss.larenco.com' (in 'LARENCO.com'?): [204.210.2.110].53 > > 'VNS1.RRSAN.com' > > Mar 26 16:01:38 mail PAM_pwdb[3098]: (login) session opened for > > user hc by (uid=0) > > Mar 26 16:02:04 mail PAM_pwdb[3110]: (su) session opened for user > > hantu by hc(uid=758) > > > > securelog entries on mail.despinsprinting.com > > --------------------------------------------- > > Mar 26 16:01:29 mail in.telnetd[3096]: connect from 24.113.4.113 > > Mar 26 16:01:38 mail login: LOGIN ON 0 BY hc FROM > > cr872028-a.poco1.bc.wave.home.com > > Mar 26 16:08:07 mail ipop3d[3149]: connect from 192.168.1.52 > > Mar 26 16:08:56 mail pam_console[3098]: getpwnam failed for hc > > > > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss _______________________________________________ Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss