Security Incidents mailing list archives
Re: FYI: Bind compromise
From: gabriel rosenkoetter <gr () ECLIPSED NET>
Date: Wed, 21 Feb 2001 09:13:38 -0500
On Wed, Feb 21, 2001 at 09:02:08AM -0500, Jim Olsen wrote:
named as of right now reports this: [root@ns4 .nis01]# named -v named 8.2.3-REL Sat Jan 27 05:32:51 EST 2001 prospector () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2.3/src/bin/named
... but...
I had not considered the fact that the attacker would upgrade the version of named to 8.2.3 -- this is probably the case. I kept no change-log for this server, so I do not know what version was running before the compromise, unfortunately. Checking rpm: [root@ns4 .nis01]# rpm -qa | grep -i bind bind-utils-8.2.2_P5-9 ypbind-3.3-28 bind-devel-8.2.2_P5-9 bind-8.2.3-0.6.x
Yep, I'd say the rootkit fixed the hole it got in through. (They owned you, but they don't want anyone else on their turf. It makes a certain amount of sense, I swear. This is not an uncommon feature of rootkits.)
ssh version: [root@ns4 .nis01]# rpm -qa | grep -i ssh ssh-1.2.27-5i ssh-clients-1.2.27-5i ssh-extras-1.2.27-5i ssh-server-1.2.27-5i [root@ns4 .nis01]# ssh -V SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF.
That's not exactly a secure sshd, but I don't know of any exploits appropos to a script kiddie for it (correct me if I'm wrong). So, yeah, if you were *actually* running 8.2.2-P5, that's what hosed you.
== Wanted to let you know that we had a ton of customer Cobalt Linux servers and other various customer Linux servers hacked this weekend due to a vulnerability in BIND. Please make sure that your servers are up to speed as far as patches go and check to make sure that no one has tried to gain unauthorized access to your Linux boxes. ==
Yeah, this is the pre-8.2.3 exploit hitting the unwashed masses. Lucky you. Wash up.
I do hope you mean 9.1.1rc1. (9.1.0 is DoS-able.)details, details, details ;-) actually, I meant 9.1.1rc2. this email was typed in a rather hurried fashion - sorry for the missed details.
Heh. Good enough. Do you find rc2 noticeably better in anyway? (Did you even try rc1?) (Without a pressing performance or security reason, I'd rather hang on for the 9.1.1 release than update again inside two weeks...) ~ g r @ eclipsed.net
Current thread:
- FYI: Bind compromise Jim Olsen (Feb 20)
- Re: FYI: Bind compromise Noel Rosenberg (Feb 20)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
- Re: Bind compromise Antonio Carlos Pina (Feb 21)
- Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jason Lewis (Feb 21)
- <Possible follow-ups>
- Re: FYI: Bind compromise Roberto (Feb 21)