Bugtraq mailing list archives
Silly patch to report version.bind requests
From: crowland () PSIONIC COM (Craig H. Rowland)
Date: Wed, 10 Jun 1998 17:18:45 -0400
Hello, I wrote this patch for BIND 8.1.2 that will change the version number returned and (most importantly) write to your logs that a person attempted to do so. To apply: cd src/bin/named patch < patchfile.name re-compile and run (preferably chrooted()) (See http://www.psionic.com/papers/dns.html or http://www.homeport.org/~adam/dns.html for more information) Test using command: dig @127.0.0.1 version.bind chaos txt You should see "Go away." come back instead of the BIND version number and your log should have an "attackalert" message in it with the IP of the perpetrator. This can be grep'd for if you use an automated logfile auditing tool like swatch or <ahem> logcheck, which already looks for this keyword: http://www.psionic.com/abacus/abacus_logcheck.html ;) While I don't suspect this will break anything, I would like to hear if it does. I've been running the patch without incident, but no guarantees as usual. Thanks, -- Craig *** ns_req.c Tue Jun 9 21:56:26 1998 --- ns_req.new Tue Jun 9 21:46:58 1998 *************** *** 665,673 **** PUTLONG(0, *cpp); /* TTL */ tp = *cpp; /* Temp RdLength */ PUTSHORT(0, *cpp); ! copyCharString(cpp, ShortVersion); PUTSHORT((*cpp) - (tp + INT16SZ), tp); /* Real RdLength */ *msglenp = *cpp - msg; /* Total message length */ return (Finish); } --- 665,674 ---- PUTLONG(0, *cpp); /* TTL */ tp = *cpp; /* Temp RdLength */ PUTSHORT(0, *cpp); ! copyCharString(cpp, "Go away."); PUTSHORT((*cpp) - (tp + INT16SZ), tp); /* Real RdLength */ *msglenp = *cpp - msg; /* Total message length */ + ns_info(ns_log_security, "attackalert: BIND version query from %s", sin_ntoa(from)); return (Finish); }
Current thread:
- Re: Full Armor avarice (Jun 09)
- Silly patch to report version.bind requests Craig H. Rowland (Jun 10)
- Re: Silly patch to report version.bind requests Peter Svensson (Jun 12)
- Re: Silly patch to report version.bind requests LaMont Jones (Jun 12)
- Re: Full Armor S M Phillips (Jun 11)
- <Possible follow-ups>
- Full Armor Kimmie Dicaire (Jun 09)
- Silly patch to report version.bind requests Craig H. Rowland (Jun 10)