Security Incidents mailing list archives
Re: FYI: Bind compromise
From: gabriel rosenkoetter <gr () ECLIPSED NET>
Date: Tue, 20 Feb 2001 20:53:46 -0500
On Tue, Feb 20, 2001 at 01:22:04PM -0500, Jim Olsen wrote:
I know this may be somewhat old news to some, but the confirmation of live BIND 8.2.3 exploit's may not be.
Woah, there. Did you really mean 8.2.3? Or 8.2.2-P<something>? If the former, then lots of folks are in trouble, since the ISC still thinks that version is secure. (Granted, everything I admin is 9.1.1rc1, but some servers I trust are running 8.2.3, so I'd rather not hear it's got problems, since it means pestering those admins to upgrade to BIND9, which they were none too eager to do the last time around.)
This server was running named 8.2.3-REL, which i assume was the source of the system compromise. According to my colo provider, everyone who had a collocated linux box with this version of BIND had been penetrated, so it's possible this attack is self-replicating, although I could not find any traces of this on the compromised system.
Okay, you really did mean this. 8.2.3-REL, last I heard, was supposed to be safe. If the rootkit installed upgraded your 8.2.2-P or 8.2.3-beta version to 8.2.3, that's another story, but if there's a working exploit of 8.2.3, that's bad news, and somebody needs to get the ISC to update their web page (http://www.isc.org/products/BIND/bind-security.html). Without further confirmation, I'd say you should check which version of ssh you're running and go read up on the Bugtraq traffic regarding it over the past week. (Short story, sshd1 from SSH.com is not safe under any version, and using any client to connect to an unknown sshd using protocol 1.5 is a security risk.)
Thankfully this box isn't that important, and thank goodness I got bind 9.1 up and running on my important boxes before this had happened.
I do hope you mean 9.1.1rc1. (9.1.0 is DoS-able.) ~ g r @ eclipsed.net
Current thread:
- FYI: Bind compromise Jim Olsen (Feb 20)
- Re: FYI: Bind compromise Noel Rosenberg (Feb 20)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
- Re: Bind compromise Antonio Carlos Pina (Feb 21)
- Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jason Lewis (Feb 21)
- <Possible follow-ups>
- Re: FYI: Bind compromise Roberto (Feb 21)