Security Incidents mailing list archives
Re: Bind8 exploit and a deleted partition map
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Tue, 13 Feb 2001 14:29:24 -0800
Derek Kwan wrote:
Well after my box was rooted and trashed (all drives were trashed clean!) few yrs back (via nfs buffer overflow bug) 1) Backup your Servers!
Yep.
2) Keep your software version updated
It's tough, but try, try, and have an idea about priorities. Which needs to be fixed by end of the week, which by end of the day, and which needs to be turned off NOW until it is fixed.
3) Delete any software (esp. daemon) if you don't plan to use them
OK, this is the reason for my reply. I think this may be uneccessarily strong. The key is do not RUN any daemons you do not need. Just having a file of non-setuid, executable code sitting on the hard drive is of very little risk. Figuring out what can and can't be TURNED OFF without hurting desired functionality on something like a Sun box is hard enough for novice (and even experienced) admin. Starting to nuke non-setuid files on disk willy-nilly is not something I would recommend unless you really, really know what you are doing. Even for setuid, I'd recommend flipping setuid bits and leaving the file intact.
4) Monitor your syslogs (atleast take a peek at it few times a day)
This can be really tough if you are watching a couple of dozen boxes.
5) Back up your servers (did I said that before?)
Yep. Feel free to say it again too.
Install Tripwire to protect your files like your inetd.conf or ssh_random_seed...
Tripwire does not really protect files, but monitors for changes. I think that is what you mean? And if you have a ssh_random_seed to protect (and I can't think of how it is meaningful to try), upgrade your SSH so you don't. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com
Current thread:
- Bind8 exploit and a deleted partition map Matteo,Marc A. (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
- Re: Bind8 exploit and a deleted partition map Jose Nazario (Feb 13)
- Re: Bind8 exploit and a deleted partition map Derek Kwan (Feb 13)
- Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
- Re: Bind8 exploit and a deleted partition map Jeremy L. Gaddis (Feb 14)
- Re: Bind8 exploit and a deleted partition map Valdis Kletnieks (Feb 14)
- Re: Bind8 exploit and a deleted partition map Eric Brandwine (Feb 14)
- Priorities (was: Bind8 exploit and a deleted partition map) Dustin Mitchell (Feb 15)
- Re: Priorities (was: Bind8 exploit and a deleted partition map) Crist Clark (Feb 15)
- Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
- <Possible follow-ups>
- Re: Bind8 exploit and a deleted partition map Justin Shore (Feb 14)