Date: Sun, 23 Jun 1996 23:30:58 -0500 From: "Bradley Dunn" <dunn@harborcom.net> To: jaeger <jaeger@com> Cc: hackers@FreeBSD.org, security@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy Message-ID: <199606240335.XAA28034@ns2.harborcom.net>
next in thread | raw e-mail | index | archive | help
The traceroute results do not indicate any DNS tampering. Traceroute looks up 127.0.0.1 using gethostbyaddr(), which then uses whatever address-to-name translation system you have running (eg /etc/hosts,NIS,DNS). I would certainly hope your translation sytem reports localhost for 127.0.0.1. :) It does indicate that there is something over there that reports its IP address as 127.0.0.1. Perhaps it is some funky terminal server hardware. Maybe it returns 127.0.0.1 when it knows that it is responsible for the particular IP being traced, but that IP isn't currently assigned? To test this, I tried tracing to some of the other hosts that would be in this pool. For example, a230.pu.ru, a231.pu.ru, etc... Some of the other ones returned this as well. So my guess would be it was a dialup dynamic IP account, and the terminal server sends the packets to its loopback interface if the IP isn't assigned. On 23 Jun 96 at 22:39, jaeger wrote: > Because of the presence of the lastlog records and the generally > good security of FreeBSD, I also suspect there was no root > compromise on wcarchive. I'm concerned about the possibility of a > DNS server compromise, given the unusual traceroute results of the > intruder's IP. Bradley Dunn <dunn@harborcom.net>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606240335.XAA28034>