From owner-freebsd-security  Sun Dec 20 10:23:32 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA05568
          for freebsd-security-outgoing; Sun, 20 Dec 1998 10:23:32 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA05556
          for <freebsd-security@freebsd.org>; Sun, 20 Dec 1998 10:23:28 -0800 (PST)
          (envelope-from agalindo@servidor.exsocom.com.mx)
Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130])
	by servidor.exsocom.com.mx (8.8.8/8.8.8) with SMTP id MAA03227;
	Sun, 20 Dec 1998 12:29:59 GMT
	(envelope-from agalindo@servidor.exsocom.com.mx)
Date: Sun, 20 Dec 1998 12:29:59 +0000 (GMT)
From: Alejandro Galindo Chairez AGALINDO  <agalindo@servidor.exsocom.com.mx>
To: Karl Pielorz <kpielorz@tdx.co.uk>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: udp security
In-Reply-To: <Pine.BSF.4.05.9812201756350.26418-100000@caladan.tdx.co.uk>
Message-ID: <Pine.BSF.3.96.981220122653.3122B-100000@servidor.exsocom.com.mx>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 20 Dec 1998, Karl Pielorz wrote:

> 
> On Sun, 20 Dec 1998, Alejandro Galindo Chairez AGALINDO wrote:
> 
> > Thanks Karl 
> > 
> > i was doing exactly like your suggestions, but in my mind the big problem
> > is dont know how they access the servers, and how they did it across udp.
> > when i reesinstalled the operating system of course i close all the back
> > doors instelled from them but this morning i have the next monitoring:
> > 
> > ----------------- Click here -----------------
> > [stats deleted]
> 
> They seem to be sending you a lot of DNS (port 53) traffic - are you sure
> your machine has been compromised again? - There are DoS (denial of
> service) attacks for older verions Bind (the DNS system), but not many
> exploits...
> 


Yes, but they are using other ports for attack, not only the domain port
53, iam sure the machine is clean now becouse i reeinstall the operating
system, and i only backup the suernames and password, nothing else.


> As a temporary measure you could disable bind on your system, or if you
> recompile your kernel with bpfilters you can get a tcpdump of the actual
> traffic their sending, e.g.
> 
> tcpdump host theirhostname.com
> 
> This will show all traffic going to / from their host - and might give you
> an idea of what's going on...


Yes, right now iam monitoring with trafshow, and it use tcpdump, but i
only can see with what protocol and port they are attacking


Thanks for your help :)

Regards
Alejandro


> 
> UDP traffic from port 53 to port 53 (DNS) is usually one name server
> talking to another for queries...
> 
> Hope that helps anyway,
> 
> Regards,
> 
> Karl
> 
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message