Security Incidents mailing list archives
Re: Bind compromise
From: John <johns () TAMPABAY RR COM>
Date: Wed, 21 Feb 2001 02:35:33 -0500
I am rather curious as to know what services this machine was running also. How do you know the machine was penetrated through the named version running on the client's machine? Is there any visual evidence of this? If in fact they were penetrated through Bind 8.2.3-REL than I suggest you display all the details about this and maybe we can come up with something as to there being a new (another) Bind exploit. I highly doubt this cause if there is a exploit for Bind 8.2.3-REL than we would see MORE wide spread compromises. ----- Original Message ----- From: Jason Lewis <jlewis () jasonlewis net> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, February 20, 2001 6:56 PM Subject: Re: Bind compromise : Is there an exploit for 8.2.3-REL? : : What else was running on this box? ftpd? : : What version of SSH? : : I am rolling out two new name servers and I would rather not roll out : something with holes. : : What kind of options are you using in the named.conf? Is it secure? : : jas : http://www.rivalpath.com : : : -----Original Message----- : From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On : Behalf Of Jim Olsen : Sent: Tuesday, February 20, 2001 1:22 PM : To: INCIDENTS () SECURITYFOCUS COM : Subject: FYI: Bind compromise : : : I know this may be somewhat old news to some, but the confirmation of live : BIND 8.2.3 exploit's may not be. One of my customer's boxes was penetrated : last thursday. I lost network connectivity to the box around 7:00 AM , and : got it back online around 8:30 AM with help from my colo provider. Upon : ssh'ing into the box I was investigating the logs to see what had caused the : outage, and I saw some weird log entries, most notably stating that named : and : syslogd had been restarted at 3:00 AM the same day, which is abnormal for : that particular system. : : So, onto the next steps. I did a 'ps auxw' and everything looked fine. Of : course, we all know we can't trust that in and of itself. Time to do an : 'lsof : -i -n -P'. : : [root@ns4 /root]# lsof -i -n -P : COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME : sshd 443 root 3u IPv4 723 TCP *:22 (LISTEN) : named 26675 root 4u IPv4 2695432 UDP *:1917 : named 26675 root 20u IPv4 2693627 UDP 127.0.0.1:53 : named 26675 root 21u IPv4 2693628 TCP 127.0.0.1:53 (LISTEN) : named 26675 root 22u IPv4 2693629 UDP 209.190.211.2:53 : named 26675 root 23u IPv4 2693630 TCP 209.190.211.2:53 (LISTEN) : named 26675 root 24u IPv4 2693631 UDP 209.190.211.3:53 : named 26675 root 25u IPv4 2693632 TCP 209.190.211.3:53 (LISTEN) : named 26675 root 26u IPv4 2693633 UDP 209.190.211.4:53 : named 26675 root 27u IPv4 2693634 TCP 209.190.211.4:53 (LISTEN) : named 26675 root 28u IPv4 2693635 UDP 209.190.211.10:53 : named 26675 root 29u IPv4 2693636 TCP 209.190.211.10:53 (LISTEN) : sshd 27364 root 5u IPv4 2695890 TCP : 209.190.211.10:22->209.190.230.3:813 (ESTABLISHED) : sshd 27364 root 11u IPv4 2695901 TCP *:6010 (LISTEN) : in.amdq 27400 root 3u IPv4 2695932 TCP *:12300 (LISTEN) : : Hrm.. in.amdq? on port 12300? Not normal... Looked at /proc/27400/ and found : out it had been running since 3:00 AM. I tried 'kill 27400'; no go... so : 'kill -9 27400' did the trick for me. If they had made their rootkit good : enough to hide it from /proc and lsof, then I wouldn'tve found it so easily. : Network connectivity stopped working around 7:00 AM, according to the logs; : I : can only assume that the attacker had logged into the box between 3:00 am : and : 7:00 AM and screwed up the networking (either purposefully or by accident). : : also found some other files touched: : : In order to get the daemon to start on bootup, /etc/rc.d/rc.local and : /etc/rc.d/rc.sysinit had this line: : /usr/sbin/in.amdq -q : : also, in /var/log a program was sitting there called 'wzap' which is used to : erase login entries from the 'lastlog'. : : What is in.amdq? A customized ssh daemon of sorts that allows anyone to : connect as root, or so it appears. They also must have used a rootkit of : some : sort, as the process does not show up in ps auxw. There is probably more to : the compromise, but this is all I found. This server was running named : 8.2.3-REL, which i assume was the source of the system compromise. : According : to my colo provider, everyone who had a collocated linux box with this : version of BIND had been penetrated, so it's possible this attack is : self-replicating, although I could not find any traces of this on the : compromised system. Thankfully this box isn't that important, and thank : goodness I got bind 9.1 up and running on my important boxes before this had : happened. : -- : Jim Olsen : Systems Administrator : Browser Media
Current thread:
- FYI: Bind compromise Jim Olsen (Feb 20)
- Re: FYI: Bind compromise Noel Rosenberg (Feb 20)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
- Re: Bind compromise Antonio Carlos Pina (Feb 21)
- Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jason Lewis (Feb 21)
- <Possible follow-ups>
- Re: FYI: Bind compromise Roberto (Feb 21)