I just experienced a very scary thing. An nscd instance on an internal/mostly private machine picked up a bogus entry for localhost matching the address 203.0.37.125 -- which the net admin there has reversing to localhost. It seems to me we have a hacker with some sort of new attack possibly? The system is an RH7.3 base, with latest patches. As far as I know there aren't any obvious vulns in the system here, and the information didn't come from LDAP as the servers replication logs NEVER mentioned that information, ever. I know that there are some solutions to this (including editing nsswitch.conf) but I wanted to know if anyone else has seen this? Replies off-list or on-list (though I have a hard time following all the list traffic...) ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 10:29:24 PDT