On Fri, 31 Mar 2000, Chrissy wrote:
chrissy@rox:~ > /usr/sbin/named -v named 8.2.2-P3 Sun Nov 14 20:46:41 GMT 1999 root@snell:/usr/src/packages/BUILD/bind8-8.2.2/bin/named
chrissy@rox:~ > rpm -qa |grep bind bindutil-8.2.2-8 bind8-8.2.2-8
I opened exec (512) to test X-Win32 ..so that was open too...but behind ipchains.
While doing a portscan..i noticed a weird port.. 687 ..any clues?
an rpm -Va showed nothing odd...
Thanks much, Chrissy
Looks like a named buffer overflow exploit. What version of named are you using? -- Bob F I am not up on this particular exploit. I would investigate the bugtraq thread I sent you off list. From what I have read I think 8.2.2-P3 is OK but I would check further- I may have missed something. Port 687 does not ring any bells but does sound suspicious. I would operate under the assumption that the box has been compromised until you can prove otherwise (just my opinion)
Good Luck! -- Bob F EMail FBob@wt.net A Truly Wise Man Never Plays Leapfrog With A Unicorn...