[Sussex] DNS Hack attack?
Macdonald-Wallace, Matthew J
s0209208 at glos.ac.uk
Tue Nov 12 10:21:01 UTC 2002
John,
Thanks for that, I'll pass it on. I got kicked out of the IT suite last
night before I could recieve the reply! (I hate not having a net connection
in halls...
M.
>-----Original Message-----
>From: John Crowhurst [mailto:fyremoon at fyremoon.net]
>Sent: 11 November 2002 20:59
>To: sussex at mailman.lug.org.uk
>Subject: Re: [Sussex] DNS Hack attack?
>
>
>
>> All,
>>
>> Anyone know what the following mean? I've been mailed it by
>a friend who
>> doesn't understand his DNS logs. Neither do I! :o)
>
>Firstly, a dangling CNAME is when a DNS record is missing the
>A record, an
>example would be here:
>
>www IN A 1.2.3.4
>www2 IN CNAME www
>www3 IN CNAME www4
>
>www3 is a dangling CNAME in this case, as there is no A
>(address) record
>for www4.
>
>A CNAME (Canonical Name) is similar to an alias, where it
>points to an A
>record.
>
>This can occur in the case of "split DNS", where there are two
>different
>versions of the DNS around the internet, and a lookup is
>pulling down the
>broken setup.
>
>The DNS restarts seem to be worrying though, as if its
>attempting to spawn
>when there is already a copy of bind running, and bound to the port.
>
>Perhaps upgrading the version of bind to be on the safe side would be a
>wise move anyway, and perhaps check the system for any
>possible rootkit.
>
>If its an RPM based distribution, you can query the integrity
>of the files
>by issuing:
>
># rpm -qa
>
>Download a copy of chkrootkit too, and give it a quick once
>over. It may
>be me being overly paranoid, but you will be able to sleep
>better tonight.
>
>--
>John
>
>
>
>_______________________________________________
>Sussex mailing list
>Sussex at mailman.lug.org.uk
>http://mailman.lug.org.uk/mailman/listinfo/sussex
>
More information about the Sussex
mailing list