Re: FYI: Bind compromise

[gabriel rosenkoetter <gr () ECLIPSED NET>]

On Tue, Feb 20, 2001 at 01:22:04PM -0500, Jim Olsen wrote:
> I know this may be somewhat old news to some, but the confirmation of live
> BIND 8.2.3 exploit's may not be.

Woah, there. Did you really mean 8.2.3? Or 8.2.2-P<something>?

If the former, then lots of folks are in trouble, since the ISC
still thinks that version is secure. (Granted, everything I admin is
9.1.1rc1, but some servers I trust are running 8.2.3, so I'd rather
not hear it's got problems, since it means pestering those admins to
upgrade to BIND9, which they were none too eager to do the last time
around.)

> This server was running named 8.2.3-REL, which i assume was the
> source of the system compromise.  According to my colo provider,
> everyone who had a collocated linux box with this version of BIND
> had been penetrated, so it's possible this attack is self-replicating,
> although I could not find any traces of this on the compromised
> system.

Okay, you really did mean this. 8.2.3-REL, last I heard, was
supposed to be safe. If the rootkit installed upgraded your 8.2.2-P
or 8.2.3-beta version to 8.2.3, that's another story, but if there's
a working exploit of 8.2.3, that's bad news, and somebody needs to
get the ISC to update their web page
(http://www.isc.org/products/BIND/bind-security.html).

Without further confirmation, I'd say you should check which version
of ssh you're running and go read up on the Bugtraq traffic
regarding it over the past week. (Short story, sshd1 from SSH.com
is not safe under any version, and using any client to connect to
an unknown sshd using protocol 1.5 is a security risk.)

> Thankfully this box isn't that important, and thank
> goodness I got bind 9.1 up and running on my important boxes before this had
> happened.

I do hope you mean 9.1.1rc1. (9.1.0 is DoS-able.)

       ~ g r @ eclipsed.net