>
> I suspect that I've been hacked. I found a directory titled "ADMROCKS" in
> /var/named owned by root and I know that I didn't create it. Does anyone
> recognize this?
http://www.cert.org/advisories/CA-99-14-bind.html
The "nxt" one....
It's not a major root kit, but serious enough to where you can't really be
sure how far their access got them.
Upgrade your version of BIND at the very least, and a better solution would
be a re-install/restore from backup.
Look for weird accounts in /etc/passwd, old account that have suddenly
logged in recently. If your 'who' or 'last' or 'ps' or 'top' utilities
suddenly act weird then you know they're still trying to hide something.
> Any recommendations / advice on how to move forward? I have RedHat 6.1
and
> all of the latest updates on the system. My guess is that I'll need to
> rebuild the system. Of course, there's no way for me to know if the
hacker
> can just break right back in after I do that. I also figure I need to
setup
> a firewall. Any recommendations on that? Ie. firewall software to use,
> related URLs, etc.
Refresh your memory of inetd.conf, hosts.alllow, hosts.deny: in fact become
an expert with them. Install port-sentry and logcheck. ipchains makes for
a nice firewall and it's syntax isn't too hard to pick up.
If this is a primary DNS server then you have to keep that named port 53
open. Just stay up to date on the latest patches to BIND.
Good luck.
Eric Cifreo
Austin, TX
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
