[Sussex] DNS Hack attack?

Macdonald-Wallace, Matthew J s0209208 at glos.ac.uk
Tue Nov 12 10:21:01 UTC 2002


John,

Thanks for that, I'll pass it on.  I got kicked out of the IT suite last
night before I could recieve the reply! (I hate not having a net connection
in halls...

M.

>-----Original Message-----
>From: John Crowhurst [mailto:fyremoon at fyremoon.net]
>Sent: 11 November 2002 20:59
>To: sussex at mailman.lug.org.uk
>Subject: Re: [Sussex] DNS Hack attack?
>
>
>
>> All,
>>
>> Anyone know what the following mean? I've been mailed it by 
>a friend who
>> doesn't understand his DNS logs.  Neither do I! :o)
>
>Firstly, a dangling CNAME is when a DNS record is missing the 
>A record, an
>example would be here:
>
>www IN A 1.2.3.4
>www2 IN CNAME www
>www3 IN CNAME www4
>
>www3 is a dangling CNAME in this case, as there is no A 
>(address) record
>for www4.
>
>A CNAME (Canonical Name) is similar to an alias, where it 
>points to an A
>record.
>
>This can occur in the case of "split DNS", where there are two 
>different
>versions of the DNS around the internet, and a lookup is 
>pulling down the
>broken setup.
>
>The DNS restarts seem to be worrying though, as if its 
>attempting to spawn
>when there is already a copy of bind running, and bound to the port.
>
>Perhaps upgrading the version of bind to be on the safe side would be a
>wise move anyway, and perhaps check the system for any 
>possible rootkit.
>
>If its an RPM based distribution, you can query the integrity 
>of the files
>by issuing:
>
># rpm -qa
>
>Download a copy of chkrootkit too, and give it a quick once 
>over. It may
>be me being overly paranoid, but you will be able to sleep 
>better tonight.
>
>-- 
>John
>
>
>
>_______________________________________________
>Sussex mailing list
>Sussex at mailman.lug.org.uk
>http://mailman.lug.org.uk/mailman/listinfo/sussex
>




More information about the Sussex mailing list