Security Incidents mailing list archives

Re: FYI: Bind compromise

From: gabriel rosenkoetter <gr () ECLIPSED NET>
Date: Wed, 21 Feb 2001 09:13:38 -0500

On Wed, Feb 21, 2001 at 09:02:08AM -0500, Jim Olsen wrote:

named as of right now reports this:
[root@ns4 .nis01]# named -v
named 8.2.3-REL Sat Jan 27 05:32:51 EST 2001
      prospector () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2.3/src/bin/named


... but...

I had not considered the fact that the attacker would upgrade the version of
named to 8.2.3 -- this is probably the case. I kept no change-log for this
server, so I do not know what version was running before the compromise,
unfortunately. Checking rpm:

[root@ns4 .nis01]# rpm -qa | grep -i bind
bind-utils-8.2.2_P5-9
ypbind-3.3-28
bind-devel-8.2.2_P5-9
bind-8.2.3-0.6.x


Yep, I'd say the rootkit fixed the hole it got in through. (They
owned you, but they don't want anyone else on their turf. It makes
a certain amount of sense, I swear. This is not an uncommon feature
of rootkits.)

ssh version:
[root@ns4 .nis01]# rpm -qa | grep -i ssh
ssh-1.2.27-5i
ssh-clients-1.2.27-5i
ssh-extras-1.2.27-5i
ssh-server-1.2.27-5i
[root@ns4 .nis01]# ssh -V
SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5.
Standard version.  Does not use RSAREF.


That's not exactly a secure sshd, but I don't know of any exploits
appropos to a script kiddie for it (correct me if I'm wrong).

So, yeah, if you were *actually* running 8.2.2-P5, that's what hosed
you.

==
Wanted to let you know that we had a ton of customer Cobalt Linux
servers and other various customer Linux servers hacked this weekend due
to a vulnerability in BIND.  Please make sure that your servers are up
to speed as far as patches go and check to make sure that no one has
tried to gain unauthorized access to your Linux boxes.
==


Yeah, this is the pre-8.2.3 exploit hitting the unwashed masses.
Lucky you. Wash up.

I do hope you mean 9.1.1rc1. (9.1.0 is DoS-able.)

details, details, details ;-)  actually, I meant 9.1.1rc2. this email was
typed in a rather hurried fashion - sorry for the missed details.


Heh. Good enough.

Do you find rc2 noticeably better in anyway? (Did you even try rc1?)

(Without a pressing performance or security reason, I'd rather hang
on for the 9.1.1 release than update again inside two weeks...)

       ~ g r @ eclipsed.net

Current thread:

FYI: Bind compromise Jim Olsen (Feb 20)
- Re: FYI: Bind compromise Noel Rosenberg (Feb 20)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
  - Re: FYI: Bind compromise Jim Olsen (Feb 21)
    - Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
    - Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
  - Re: Bind compromise Antonio Carlos Pina (Feb 21)
  - Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
  - Re: FYI: Bind compromise Jim Olsen (Feb 21)
  - Re: FYI: Bind compromise Jason Lewis (Feb 21)
- <Possible follow-ups>
- Re: FYI: Bind compromise Roberto (Feb 21)