[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SV: [cobalt-security] hacked again!

Subject: Re: SV: [cobalt-security] hacked again!
From: David Garcia Watkins <dgw@xxxxxxxxxxx>
Date: Sat, 05 May 2001 19:29:46 CEST
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Your right ... AXFR should only happen between a primary DNS server and its secondary DNS severs.

On 05 May 2001 15:15 CEST you wrote:

> Hi,
> 
> But why does the raqserver do zone transfer (AXFR) to this IP numbers that I
> dont now? And it was that wich made the cpu go up to over 55,00 when it
> normal is about 0,5!
> 
>> The log bits you are quoting dont seem suspicious to me. For example:
>> 
>> For example, AXFR's are sent and aproved when the server is rebooted and
>> master zones are loaded then aswell.
>> The telnetd error looks like RaQ's monitor testing to see if its alive and
>> the proftpd error aswell.
>> Lame server error can be quite generic these days, I found I was getting a
>> long list of lame servers everytime I ran webalizer, because the data in the
>> logs was old are was no longer resolving properly.
>> 
>> logcheck is nice, but you need to customize the rules a bit for the RAQ or
>> you'll get a shock when you run it.

References:
- SV: [cobalt-security] hacked again!
  - From: Kai Schantz, Euroweb

Prev by Date: Re: [cobalt-security] RaQ3-All-Kernel-4.0.1-2.216C24III.pkg
Next by Date: Re: [cobalt-security] named "denied update" error
Previous by thread: SV: [cobalt-security] hacked again!
Next by thread: [cobalt-security] Samba /tmp security hole

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index