Security Incidents mailing list archives
Re: FYI: Bind compromise
From: Jason Lewis <jlewis () jasonlewis net>
Date: Wed, 21 Feb 2001 01:45:21 -0500
I agree...... I looked at the ISC listing of exploits.... http://www.isc.org/products/BIND/bind-security.html And 8.2.3-betas ARE vulnerable..... Maybe it was beta and not -REL? My guess is the attacker upgraded BIND to prevent someone from compromising HIS compromise. That makes me laugh for some reason. jas http://www.rivalpath.com -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Phil Brutsche Sent: Tuesday, February 20, 2001 7:35 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: FYI: Bind compromise -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said...
What is in.amdq? A customized ssh daemon of sorts that allows anyone to connect as root, or so it appears. They also must have used a rootkit of
some
sort, as the process does not show up in ps auxw. There is probably more
to
the compromise, but this is all I found. This server was running named 8.2.3-REL, which i assume was the source of the system compromise.
According
to my colo provider, everyone who had a collocated linux box with this version of BIND had been penetrated, so it's possible this attack is self-replicating, although I could not find any traces of this on the compromised system. Thankfully this box isn't that important, and thank goodness I got bind 9.1 up and running on my important boxes before this
had
happened.
I disagree that this is a BIND 8.2.3 exploit. If it was we probably would have heard about it on BugTraq by now :) I've seen this rootkit (or, at least, this back door) on a RedHat box that had no business running, and was not running, BIND. They were, however, running all sorts of other services (it was RedHat 6.0, with *no* updates) that had nasty vulnerabilities. If you still have access to the compromised system, I think you'll find some files under /dev/sdc0/ (where the ssh backdoor gets its configuration). I think you will also find /usr/sbin/in.sysched. I have no idea what that does; I've heard it may be a DDoS tool. I haven't been able to find anything conclusive about it on google, and nothing on packetstorm and SecurityFocus. What I know about it starts with the (way too short) thread at http://plug.skylab.org/200007/msg00526.html, and another (also way too short) at http://www.linux.ie/pipermail/ilug/2000-September/022860.html. As well as some stuff in Norwegian. - -- - ---------------------------------------------------------------------- Phil Brutsche pbrutsch () tux creighton edu GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6kw1I/ZTSZFDeHPwRAnCiAJ9M0VX4PGjJtkve17HCjSeH+VANZACePVYo xGJp8qcMnM15tfGs2ewIo3U= =y0+C -----END PGP SIGNATURE-----
Current thread:
- Re: Bind compromise, (continued)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
- Re: Bind compromise Antonio Carlos Pina (Feb 21)
- Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jason Lewis (Feb 21)
- Re: FYI: Bind compromise Roberto (Feb 21)