The hacker wanted to exploit the bind security hole. See the CERT info
at:
http://www.cert.org/current/current_activity.html#bind
This exploit is being used to break into linux boxes. I had one cracked
last week. That taught me to keep the patches current. Make sure you
have the latest bind patches:
http://www.redhat.com/support/errata/rh61-errata-security.html
for RH6.1
As for the auth probe, I know that's one of the ports that get probed,
but I don't know the rational behind it. I also would suggest
installing tripwire because it will tell you what files got changed if
you do get cracked, that is, if the cracker doesn't find the database
file.
Fred
matt boex wrote:
>
> i downloaded ippl, basically logs all tcp, udp
> connections. looking at the log today i see this
> entry-
>
> Jan 29 12:25:48 domain connection attempt from
> [EMAIL PROTECTED] [216.0.222.7]
> (216.0.222.7:4749->my-ip-address:53)
> Jan 29 12:33:41 port 113 connection attempt from
> ns.pfsfhq.com [216.0.222.7]
> (216.0.222.7:3703->my-ip-address:113)
> Jan 29 12:35:32 port 113 connection attempt from
> ns.pfsfhq.com [216.0.222.7]
> (216.0.222.7:4918->my-ip-address
>
> seems like it is on port 113 and 53. 53 would be dns
> i guess but i am not running named. 113 is auth.
> don't know exactly how that works, i couldn't find any
> man pages on it. any hints?
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
