On Fri, Feb 18, 2011 at 4:37 PM, James Hogarth james.hogarth@gmail.com wrote:
Your mentor? What do you mean by that?
The same thing Wikipedia says, namely:
a trusted friend, counselor or teacher, usually a more experienced person. Some professions have "mentoring programs" in which newcomers are paired with more experienced people, who advise them and serve as examples as they advance.
Joe, Randy and James are my mentors of 15, 5 and 5 years, respectively, and all said the same thing, namely "nuke and repave, be sure to be current on BIND" since it is a purpose-built box (ns1).
Since others have asked for details, they are below the sig.
With 20/20 hindsight, it is clear that I shouldn't have posted the original post asking the list for help and hopefully informing other potential targets of the risk (read: there were no responses to the original post, therefore it was posted to the wrong audience).
There was no time for forensics at the time of the discovery; just time to get advice and react. What follows is from a few moments ago.
===details=== ===box was last nuked and repaved Jul 28 2008 ===much unnecessary software removed Jul 28 2008, 57 tasks active per 'ps auxw | wc -l' ===current nmap (same nmap results as on problem day) Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 0.19 seconds vaden@turtlehill:/opt$ nmap -A -PN ns1.texoma.net Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST Nmap scan report for ns1.texoma.net ( Host is up (0.0012s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain 987/tcp open ssh OpenSSH 3.9p1 (protocol 2.0) | ssh-hostkey: 1024 36:dc:c8:29:b1:d3:8a:b1:e6:cf:2b:4c:70:ed:c8:9a (DSA) |_1024 10:f9:a6:d2:32:68:15:3a:9f:04:3a:89:05:1e:b8:52 (RSA) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds vaden@turtlehill:/opt$ ===named.conf security in 2008 [root@ns1 data]# cat /var/named/chroot/etc/named.conf | more ### # # attribution: By Rob Thomas, noc at cymru.com # http://www.cymru.com/Documents/secure-bind-template.html # -and- # http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php # # at the behest of # Dr. Joe Redacted (redacted1.edu) # Dr. Randall Redacted (redacted2.edu) === ssh port not on 22 === distro's standard iptables save ssh port