Mailinglist Archive: opensuse (3666 mails)

< Previous Next >
DNS Server Hacked?
  • From: "L. Mark Stone" <lmstone@xxxxxxxxx>
  • Date: Fri, 11 Mar 2005 09:24:08 -0500 (EST)
  • Message-id: <50312.162.84.182.216.1110551048.squirrel@xxxxxxxxxxxxxxxx>
A friend (not a customer) called me up yesterday, saying the two DNS
servers he maintains for his customers' web farm had gone down hard,
taking all of his customers' web sites off the air.

He had new boxes he was going to put in anyway this month to replace the
old DNS boxes, so he just built the replacement DNS servers, unplugged the
old ones and put them aside. Customers were down for maybe six hours,
overnight, and no customer was too adversely impacted. (I've previously
suggested to him that he outsource DNS to someone else, but that's another
story...)

After a few hours sleep, he tried to boot up the old DNS servers (without
them having an Ethernet connection) and found they wouldn't boot. So, he
popped in a Knoppix CD to take a look at their hard drives.

He found that on both machines the /usr/bin and the /usr/lib directories
were missing. We both suspect an exploit, but I thought I would post here
to see if anyone has experience with or knowledge of a specific exploit
that would produce this result, to try to jump start the post mortem
analyses of these boxes.

Feel free to reply to me off list if you prefer. Just to be clear, I'm
not looking for a how-to. I'm just trying to help a friend with some data
gathering before he calls our mutual friend in San Francisco, who owns a
security forensics firm.

Thanks,
Mark


--
____________________________________________________________
A Message From... L. Mark Stone

Reliable Networks of Maine, LLC

"We manage your network so you can manage your business."

477 Congress Street
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.rnome.com





< Previous Next >
This Thread
  • No further messages